11 votes

A secure operating system

18 comments

  1. [2]
    Durallet
    Link
    Here are some additional links regarding OS security, mainly concerning Linux: Madaidan's "Linux (in)security" article Whonix: Fixing the Linux desktop security model Post 1, Post 2 The Linux...
    7 votes
    1. FantasyCookie17
      Link Parent
      I am aware of some of those (the first one in particular, I know the person who wrote it), yes. I just wanted to do an article that summarizes (and thus compares) different OSes on one page. I've...

      I am aware of some of those (the first one in particular, I know the person who wrote it), yes. I just wanted to do an article that summarizes (and thus compares) different OSes on one page. I've seen similar collections of links… Mainly by someone called "cn3m" on Matrix and Reddit.

      2 votes
  2. [10]
    lionirdeadman
    (edited )
    Link
    This particular article has been proven to be quite wrong. I can make a full breakdown but the TL;DR is : The Sandbox is not a lie, just learn to use the permissions of the sandboxing system while...

    Flatpak, however, has some quite severe issues with its sandbox,

    This particular article has been proven to be quite wrong. I can make a full breakdown but the TL;DR is :

    • The Sandbox is not a lie, just learn to use the permissions of the sandboxing system while more and more of the permissions move to portals.
    • You are getting updates. The problem is simple, people can be late to update things just like any model of distribution.
    • All projects have security problems and how they handle them varies a lot. AFAIK the kernel doesn't even say there's security implications at all in release notes.

    The default GUI stack is X11

    This is false. GNOME has defaulted to Wayland since... GNOME 3.10 which is... around 7years ago, I think? Sure, some distros change this like Ubuntu but others don't. Of course, it depends on the Desktop environment / Window manager to support Wayland. I'd argue there's no default on the """Linux platform"""

    As for the Wayland exploit, yeah, it's bad, we should sandbox more and more which is what I've been doing with Flatpak. (which you mention later, my bad)

    4 votes
    1. [2]
      FantasyCookie17
      (edited )
      Link Parent
      Tbh, that sounds like a whataboutism to me. Sure, I wasn't criticizing that aspect of flatpak. The problem is a lot of the apps are not properly sandboxed, and basically trusted by default (some...

      All projects have security problems

      Tbh, that sounds like a whataboutism to me.

      You are getting updates. The problem is simple, people can be late to update things just like any model of distribution.

      Sure, I wasn't criticizing that aspect of flatpak.

      The Sandbox is not a lie, just learn to use the permissions of the sandboxing system while more and more of the permissions move to portals.

      The problem is a lot of the apps are not properly sandboxed, and basically trusted by default (some can even change their own permissions, or access dotfiles in the user's home directory), you can get root by installing an SUID binary with flatpak install --user, and the sandbox is not fine-grained enough for certain things, meaning it's either good security, but breaks almost everything, or works, but is easily bypassable.

      4 votes
      1. lionirdeadman
        Link Parent
        I'd say it's just an inherent flaw of package distribution. Things get updated when maintainers do it. Feel free to PR when you think this is true. I definitely agree some things are too lean on...

        Tbh, that sounds like a whataboutism to me.

        I'd say it's just an inherent flaw of package distribution. Things get updated when maintainers do it.

        The problem is a lot of the apps are not properly sandboxed

        Feel free to PR when you think this is true. I definitely agree some things are too lean on permissions and I override this with Flatseal or Flatpak override

        (some can even change their own permissions

        Assuming they have access to the folder for this, that is true.

        the sandbox is not fine-grained enough for certain things

        Can you give examples? Although, I agree that device=* is not fine-grained enough for example, filesystem is about as fine-grained as could be. Obviously though, from my point of view, portals are what will replace permissions atleast for most things where this is true like filesystem access, screen recording, global hotkey, etc.

        3 votes
    2. FantasyCookie17
      Link Parent
      As for , I guess that's mostly a semantics issue, but yes, I see what you mean I'll fix that in a second.

      As for

      The default GUI stack is X11

      , I guess that's mostly a semantics issue, but yes, I see what you mean I'll fix that in a second.

      2 votes
    3. [6]
      axeld
      Link Parent
      Expanding upon this, there's now an application called Flatseal that you can use to play with the sandbox of all the flatpaks installed on your system.

      The Sandbox is not a lie, just learn to use the permissions of the sandboxing system while more and more of the permissions move to portals.

      Expanding upon this, there's now an application called Flatseal that you can use to play with the sandbox of all the flatpaks installed on your system.

      2 votes
      1. [5]
        FantasyCookie17
        Link Parent
        I once tried to use it, but it didn't start properly…

        I once tried to use it, but it didn't start properly…

        1 vote
        1. [4]
          lionirdeadman
          Link Parent
          It recently had an update to fix if a library couldn't read desktop files properly. You should try again.

          It recently had an update to fix if a library couldn't read desktop files properly. You should try again.

          1. [3]
            FantasyCookie17
            Link Parent
            Oh, it wasn't just the .desktop file. It threw some weird errors when trying to launch it via command line, no matter whether I used Wayland or X11.

            Oh, it wasn't just the .desktop file. It threw some weird errors when trying to launch it via command line, no matter whether I used Wayland or X11.

            1 vote
            1. [2]
              lionirdeadman
              Link Parent
              Can I see the error? The error regarding the desktop file not being read properly isn't exactly easy to read. Although, I guess it's too late to reproduce by now..

              Can I see the error? The error regarding the desktop file not being read properly isn't exactly easy to read.

              Although, I guess it's too late to reproduce by now..

              1. FantasyCookie17
                Link Parent
                Seems like it indeed is. I am able to start it now.

                Seems like it indeed is. I am able to start it now.

                1 vote
  3. [6]
    FantasyCookie17
    Link
    This post, written by me, is already a few days old, but I'm new on here, and thought some of you might be interested.

    This post, written by me, is already a few days old, but I'm new on here, and thought some of you might be interested.

    4 votes
    1. [5]
      suspended
      Link Parent
      Hey! Welcome to Tildes. I noticed your username from Element (previously Matrix/Riot). How did you hear about this place?

      Hey! Welcome to Tildes.

      I noticed your username from Element (previously Matrix/Riot).

      How did you hear about this place?

      4 votes
      1. Whom
        Link Parent
        Worthless nitpick, but Matrix is still Matrix. The Riot client in particular is now Element.

        Worthless nitpick, but Matrix is still Matrix. The Riot client in particular is now Element.

        7 votes
      2. [3]
        FantasyCookie17
        Link Parent
        As already said, Matrix is indeed still called Matrix. Anyway, Freddy shared one of my posts on here, which is why I joined (I heard of it before though in the Techlore room). May I ask which room...

        As already said, Matrix is indeed still called Matrix. Anyway, Freddy shared one of my posts on here, which is why I joined (I heard of it before though in the Techlore room). May I ask which room you know me from, and perhaps what your MXID is?

        2 votes
        1. [2]
          suspended
          Link Parent
          I'm fairly certain I remember you from the Techlore room. I'm 'removed' on Matrix. EDIT: removed:matrix.org

          I'm fairly certain I remember you from the Techlore room. I'm 'removed' on Matrix.

          EDIT: removed:matrix.org

          3 votes
          1. FantasyCookie17
            Link Parent
            Ah, I see. Might be I've seen you in there… I can certainly see you in the room members list, however.

            Ah, I see. Might be I've seen you in there… I can certainly see you in the room members list, however.

            2 votes