Here are some additional links regarding OS security, mainly concerning Linux: Madaidan's "Linux (in)security" article Whonix: Fixing the Linux desktop security model Post 1, Post 2 The Linux...
Here are some additional links regarding OS security, mainly concerning Linux:
I am aware of some of those (the first one in particular, I know the person who wrote it), yes. I just wanted to do an article that summarizes (and thus compares) different OSes on one page. I've...
I am aware of some of those (the first one in particular, I know the person who wrote it), yes. I just wanted to do an article that summarizes (and thus compares) different OSes on one page. I've seen similar collections of links… Mainly by someone called "cn3m" on Matrix and Reddit.
This particular article has been proven to be quite wrong. I can make a full breakdown but the TL;DR is : The Sandbox is not a lie, just learn to use the permissions of the sandboxing system while...
Flatpak, however, has some quite severe issues with its sandbox,
This particular article has been proven to be quite wrong. I can make a full breakdown but the TL;DR is :
The Sandbox is not a lie, just learn to use the permissions of the sandboxing system while more and more of the permissions move to portals.
You are getting updates. The problem is simple, people can be late to update things just like any model of distribution.
All projects have security problems and how they handle them varies a lot. AFAIK the kernel doesn't even say there's security implications at all in release notes.
The default GUI stack is X11
This is false. GNOME has defaulted to Wayland since... GNOME 3.10 which is... around 7years ago, I think? Sure, some distros change this like Ubuntu but others don't. Of course, it depends on the Desktop environment / Window manager to support Wayland. I'd argue there's no default on the """Linux platform"""
As for the Wayland exploit, yeah, it's bad, we should sandbox more and more which is what I've been doing with Flatpak. (which you mention later, my bad)
Tbh, that sounds like a whataboutism to me. Sure, I wasn't criticizing that aspect of flatpak. The problem is a lot of the apps are not properly sandboxed, and basically trusted by default (some...
All projects have security problems
Tbh, that sounds like a whataboutism to me.
You are getting updates. The problem is simple, people can be late to update things just like any model of distribution.
Sure, I wasn't criticizing that aspect of flatpak.
The Sandbox is not a lie, just learn to use the permissions of the sandboxing system while more and more of the permissions move to portals.
The problem is a lot of the apps are not properly sandboxed, and basically trusted by default (some can even change their own permissions, or access dotfiles in the user's home directory), you can get root by installing an SUID binary with flatpak install --user, and the sandbox is not fine-grained enough for certain things, meaning it's either good security, but breaks almost everything, or works, but is easily bypassable.
I'd say it's just an inherent flaw of package distribution. Things get updated when maintainers do it. Feel free to PR when you think this is true. I definitely agree some things are too lean on...
Tbh, that sounds like a whataboutism to me.
I'd say it's just an inherent flaw of package distribution. Things get updated when maintainers do it.
The problem is a lot of the apps are not properly sandboxed
Feel free to PR when you think this is true. I definitely agree some things are too lean on permissions and I override this with Flatseal or Flatpak override
(some can even change their own permissions
Assuming they have access to the folder for this, that is true.
the sandbox is not fine-grained enough for certain things
Can you give examples? Although, I agree that device=* is not fine-grained enough for example, filesystem is about as fine-grained as could be. Obviously though, from my point of view, portals are what will replace permissions atleast for most things where this is true like filesystem access, screen recording, global hotkey, etc.
Expanding upon this, there's now an application called Flatseal that you can use to play with the sandbox of all the flatpaks installed on your system.
The Sandbox is not a lie, just learn to use the permissions of the sandboxing system while more and more of the permissions move to portals.
Expanding upon this, there's now an application called Flatseal that you can use to play with the sandbox of all the flatpaks installed on your system.
Can I see the error? The error regarding the desktop file not being read properly isn't exactly easy to read. Although, I guess it's too late to reproduce by now..
Can I see the error? The error regarding the desktop file not being read properly isn't exactly easy to read.
Although, I guess it's too late to reproduce by now..
As already said, Matrix is indeed still called Matrix. Anyway, Freddy shared one of my posts on here, which is why I joined (I heard of it before though in the Techlore room). May I ask which room...
As already said, Matrix is indeed still called Matrix. Anyway, Freddy shared one of my posts on here, which is why I joined (I heard of it before though in the Techlore room). May I ask which room you know me from, and perhaps what your MXID is?
Here are some additional links regarding OS security, mainly concerning Linux:
Madaidan's "Linux (in)security" article
Whonix: Fixing the Linux desktop security model Post 1, Post 2
The Linux Security Circus: On GUI isolation, blog post by Joanna Rutkowska
Jan Hrach's wiki article on Linux Insecurity
Brad Spengler (PaX Team/grsecurity) interview
Brad Spengler's interview notes
"When Posturing Meets Reality", forum post by Brad Spengler about the infamous WaPo article on Linux security
Syzbot and the Tale of Thousand Kernel Bugs (posted to /r/GrapheneOS)
Battle of the SKM and IUM: How Windows 10 Rewrites OS Architecture (blackhat USA 2015 talk)
Is the Linux Desktop Less Secure than Windows 10? (FOSDEM 2017 talk)
I am aware of some of those (the first one in particular, I know the person who wrote it), yes. I just wanted to do an article that summarizes (and thus compares) different OSes on one page. I've seen similar collections of links… Mainly by someone called "cn3m" on Matrix and Reddit.
This particular article has been proven to be quite wrong. I can make a full breakdown but the TL;DR is :
This is false. GNOME has defaulted to Wayland since... GNOME 3.10 which is... around 7years ago, I think? Sure, some distros change this like Ubuntu but others don't. Of course, it depends on the Desktop environment / Window manager to support Wayland. I'd argue there's no default on the """Linux platform"""
As for the Wayland exploit, yeah, it's bad, we should sandbox more and more which is what I've been doing with Flatpak. (which you mention later, my bad)
Tbh, that sounds like a whataboutism to me.
Sure, I wasn't criticizing that aspect of flatpak.
The problem is a lot of the apps are not properly sandboxed, and basically trusted by default (some can even change their own permissions, or access dotfiles in the user's home directory), you can get root by installing an SUID binary with
flatpak install --user, and the sandbox is not fine-grained enough for certain things, meaning it's either good security, but breaks almost everything, or works, but is easily bypassable.I'd say it's just an inherent flaw of package distribution. Things get updated when maintainers do it.
Feel free to PR when you think this is true. I definitely agree some things are too lean on permissions and I override this with Flatseal or Flatpak override
Assuming they have access to the folder for this, that is true.
Can you give examples? Although, I agree that device=* is not fine-grained enough for example, filesystem is about as fine-grained as could be. Obviously though, from my point of view, portals are what will replace permissions atleast for most things where this is true like filesystem access, screen recording, global hotkey, etc.
As for
, I guess that's mostly a semantics issue, but yes, I see what you mean I'll fix that in a second.
Expanding upon this, there's now an application called Flatseal that you can use to play with the sandbox of all the flatpaks installed on your system.
I once tried to use it, but it didn't start properly…
It recently had an update to fix if a library couldn't read desktop files properly. You should try again.
Oh, it wasn't just the
.desktopfile. It threw some weird errors when trying to launch it via command line, no matter whether I used Wayland or X11.Can I see the error? The error regarding the desktop file not being read properly isn't exactly easy to read.
Although, I guess it's too late to reproduce by now..
Seems like it indeed is. I am able to start it now.
This post, written by me, is already a few days old, but I'm new on here, and thought some of you might be interested.
Worthless nitpick, but Matrix is still Matrix. The Riot client in particular is now Element.
As already said, Matrix is indeed still called Matrix. Anyway, Freddy shared one of my posts on here, which is why I joined (I heard of it before though in the Techlore room). May I ask which room you know me from, and perhaps what your MXID is?
Ah, I see. Might be I've seen you in there… I can certainly see you in the room members list, however.