Ubuntu 21.10 (Impish Indri) released

Posted Oct 17, 2021 19:29 UTC (Sun) by ibukanov (subscriber, #3942)
In reply to: Ubuntu 21.10 (Impish Indri) released by NYKevin
Parent article: Ubuntu 21.10 (Impish Indri) released

With not-so-trusted containers one may not use ssh to enter them. So a better solution will be a utility that can be used to wrap any command including ssh or container enter command. That utility then filters OSC 52 and do sensible things with copy-paste before forwarding data to the terminal application.

Ubuntu 21.10 (Impish Indri) released

Posted Oct 18, 2021 1:22 UTC (Mon) by NYKevin (subscriber, #129325) [Link] (1 responses)

Sure, that works too. My main point is that the GUI terminal emulator is generally not a great place to put the security boundary, because whatever app runs inside of it already has the technical ability to read the clipboard anyway. If the user decides to run some application, and that app prints an OSC 52 code which steals the clipboard contents, then there are really only two cases here:

* The user is screwed anyway because they just executed malware. Malware can already steal your clipboard contents by other means, and do plenty of much nastier things besides.
* The app is trusted (not malware), but failed to implement an appropriate security boundary between the user and some untrusted system. Then this is a matter of the app's security model either being inadequate or not matching the user's desired security model. That's none of gnome-terminal's business.

We can argue until the cows come home about the proper way to implement this security boundary, but I think it's pretty clear that the answer is not "filter the codes out at the GUI terminal emulator on the local system."

Ubuntu 21.10 (Impish Indri) released

Posted Oct 18, 2021 6:31 UTC (Mon) by ibukanov (subscriber, #3942) [Link]

There is a reasonable way to implement OSC 52 in the terminal with rather minimal risk even in case of a malicious code running in the container. Allow copy-paste only when the terminal has focus and only within one second or less after a press on a physical key. For copy also require that content of the clipboard was pasted there within, say, 10 seconds after the last copy operation. Alternatively to copy the terminal emulator may require first to press a special keyboard shortcut to make the content of the keyboard available for OSC 52 access. The latter will be similar to how qube-os implements cut-and-paste between virtual machines.

Until such functionality is implemented in a terminal it is reasonable to implement it in a filtering application.