Comment by codethief

Comment by codethief 20 hours ago

20 replies

View on Hacker News

> Many will point out that a Linux phone is less secure than Android or iOS, but that highly depends on your personal threat model. Linux phones and their apps are all open-source and do not depend on ads or surveillance to sustain some nefarious business model, which means there is much privacy to be won.

Meanwhile here I am on my Linux machine, constantly anxious that sooner or later one of my bazillion npm and pip dependencies will get compromised, and secretly praying that one day proper sandboxing and an Android-security model will be common on the Linux desktop, so that I can erect security boundaries between my applications and repositories.

I find this quote[0] by the developer of SpectrumOS[1] rather telling:

    <qyliss> I have embarked on the ultimate yak shave
    <qyliss> it started with "I wish I could securely store passwords on my computer"
    <qyliss> And now I am at the "I have funding to build my own operating system" level
[0]: https://alyssa.is/about/

[1]: https://spectrum-os.org/

yjftsjthsd-h 13 hours ago

> Meanwhile here I am on my Linux machine, constantly anxious that sooner or later one of my bazillion npm and pip dependencies will get compromised, and secretly praying that one day proper sandboxing and an Android-security model will be common on the Linux desktop, so that I can erect security boundaries between my applications and repositories.

Why wait? You can shove your pip/npm uses into docker/podman and remove 90% of the attack surface today. (Provided you don't map your home directory into the containers)

Reply View 1 reply
  • progbits 7 hours ago

    Docker is not a security barrier. There have been plenty of container escape attacks in the past, and plenty more to come.

    But I agree it might remove the 90%.

    Reply View 0 replies
guappa 20 hours ago

Firejail and apparmor have existed for years. If you don't use them maybe it's your fault?

Also the very same npm backdoors have already hit android apps. What can sandboxing do if you backdoor a dependency of your banking app?

Reply View 13 replies
  • tholdem 13 hours ago

    Sandboxing should be built in and by default, not DIY and glued on, like with apparmor and firejail.

    "Your car does not come with a seatbelt? Seatbelt parts are easy to order online and assembled on any car, it's your fault for not using one."

    > Also the very same npm backdoors have already hit android apps. What can sandboxing do if you backdoor a dependency of your banking app?

    The whole point of sandboxing is that one compromised app can not compromise the whole system and other apps. Compromised dependency on my banking app on Android or iOS only compromises that banking app and nothing else.

    Reply View 6 replies
    • cosmic_cheese 2 hours ago

      It’s always felt strange that Linux desktops try to make sandboxing and permissions the responsibility of packaging standards. That strikes me as much more of a system level thing like audio or display output.

      Reply View 0 replies
    • dustbunny 12 hours ago

      Fedora Silverblue is this

      Reply View 4 replies
      • pona-a 11 hours ago

        How so? I'm writing this from an Fedora Sericea, which is Silverblue but with Sway instead of GNOME. Atomic Fedoras solve only package hysteresis (your package manager being unable to reproduce the intended system state because of unaccounted for changes) by generating the root file system with OSTree. It has nothing to do with sandboxing the applications themselves.

        Reply View 1 reply
        • Arnavion 10 hours ago

          It does in the sense that all the applications you install will be via flatpak, so they get sandboxed that way. Of course it depends on how locked down the sandbox is configured for each of those applications.

          Reply View 0 replies
      • tholdem 11 hours ago

        It may be in the future, but for now it is no different from Fedora Workstation in terms of security. Please correct me if I am wrong. AFAIK Silverblue has no additional sandboxing or any other improvements to security.

        Reply View 1 reply
        • JCattheATM 11 hours ago

          Pretty sure Fedora, being based on Red Hat, has the strongest SELinux policy in place by default, and SELinux is pretty much the best sandboxing option available other than actual virtualization.

          Reply View 0 replies
  • aragilar 20 hours ago

    Or go old-school with multiple users and chroots? You could even install from (and host) a trusted repository, where the source and binaries are vetted (and you can pay people to do this for you).

    Reply View 5 replies
    • xorcist 19 hours ago

      Server software is usually compartmentalized in uid:s but desktop software seldom is, if ever. Package managers and maintainers could do a lot here to make it easier. Some things long time Linux users like to do, like running Firefox as a separate user, is still a much more involved process than it should be.

      A lot of it is probably standards and culture work, like where a user can expect to store files and have them readable by Firefox in this example. So perhaps this is something the GNOME/Freedesktop people could have been interested in and made a difference? Instead we have things like Flatpak, which is good but not the lowest hanging fruit here.

      Reply View 4 replies
      • guappa 18 hours ago

        You're going to deal with the users who can't attach a file to an email because the firefox process has no access to it?

        Reply View 1 reply
        • taeric 14 hours ago

          To be fair, if firefox had the intelligence to know that it was being asked to attach a file it didn't have access to, it could prompt for a password. I don't expect full TRAMP like smarts from Emacs, but I don't see why this wouldn't be doable?

          Granted, I'm viewing this as far easier than the sandbox "fake file system" approach? Firefox would be able to see the file exists, most likely, but just not have read rights to it. Yes, you can have some things it can't list, but I would expect that to be low on probability to want to attach to an email?

          Reply View 0 replies
      • aragilar 18 hours ago

        For user-facing stuff, I agree it's hard because of the challenge of managing access to data (and I would argue no system does this well, Android has a different set of failure modes, and I've not used QubesOS but presumably it has it's own issues as well), but in the top-level comment, the concern was around using pip/npm, which to me is almost a solved problem if you care enough and are willing to put the effort (and money) in.

        It's also not like Linux is any different with respect to installing random PyPI/npm packages on any other desktop/laptop OS (https://xkcd.com/1200/), so I'm not sure anything desktop Linux does here would change the fact that installing random software from the internet may be a bad idea sometimes ;)

        Reply View 1 reply
        • taeric 14 hours ago

          Completely agreed on this. Linux, by and large, should actually be far easier here? Have a "work account" for your machine where you do these tasks and you are basically there. Switching to a gaming account or your banking/etc. seems easy enough?

          Reply View 0 replies
asdff 12 hours ago

Just another reason not to needlessly update dependencies. To say nothing about the risk of compromising legacy code. And if you are someone who updates your dependencies constantly just because, consider that for many of the packages you are updating into they don't even do that and use some ancient dependency themselves owing to legacy code issue and the fact everyone for some reason wants to rename all their functions and flags every major version change.

Reply View 0 replies
mixmastamyk 10 hours ago

- opensnitch

- flatpak

- docker/podman/vm, etc

- /etc/shadow has been around for decades.

- Boot/login with TPM / Yubikey etc around for a decade.

Reply View 0 replies
ForHackernews 14 hours ago

This is a solved problem if you trust the packaging folks for your distro. Most end-users will never need to install some random stuff from npm or pypi: these are developer-specific concerns.

Reply View 1 reply
  • diggan 13 hours ago

    > Most end-users [...] these are developer-specific concerns

    I'd wager a bet and say most end-users who end up using Linux are, by one definition or more, developers.

    Reply View 0 replies