| ▲ | cosmic_cheese 3 hours ago |
| Desktop OSes and their derivatives are woefully behind in this regard, and unfortunately the will to bring them up to par is incredibly weak. Of those in mass use (Qubes OS is neat but its user base isn’t even a rounding error), macOS probably does the most, but it’s still lagging behind iOS and what’s been implemented has come with much consternation from the technically inclined peanut gallery. I understand some amount of reticence with commercial OSes, but there’s no justification for being against it on open Linux based desktops and mobile OSes. We really need to get past the 90s-minded paradigm of everything having access to everything else all the time with the only (scantly) meaningful safeguards coming in the form of *nix user permissions. |
|
| ▲ | palata 3 hours ago | parent | next [-] |
| > We really need to get past the 90s-minded paradigm of everything having access to everything else all the time I do agree with that, and I strongly believe that the iOS and Android security model is way ahead of Desktop Linux. But what I observe is that nobody seems to care about the security model. A recurrent complaint I see against anything AOSP-based (including Android) is that people "want to be root". |
| |
| ▲ | necovek 2 hours ago | parent | next [-] | | It comes from a history of using mostly trusted application sources like Debian/Ubuntu package archives with manual review being the norm. And few supply chain attacks. But both Flatpak and Snap offer this new model from the two biggest desktop players in the Linux world: Red Hat and Canonical. As the sibling comment said though, being an administrator for your own computer (including a phone) does not mean that you will be running untrusted applications as one: on the contrary, if you assume an administrator role and run an untrusted application, naturally, all bets are off. But even as a power user, I'd love to be able to safely run programs I do not necessarily trust, feeding it only data it needs and no more. Again, Snap/Flatpak provide this model, but we need to see more application authors take them up to ship their software. | |
| ▲ | Crespyl 2 hours ago | parent | prev [-] | | Allowing the owner of the device root access doesn't necessarily break the security model. It just means that the user can grant additional privileges to specific apps the owner has decided to trust. Every other app still has to abide by the restrictions. The fact that Android complains and tells any app that asks whether the owner actually, you know, owns the device they paid for is an implementation detail. A Linux distribution that adopts an Android style security model could easily still provide the owner root access while locking down less trusted apps in such a way that the apps can't know or care whether the device is rooted. |
|
|
| ▲ | fooker 3 hours ago | parent | prev | next [-] |
| Fun fact - on most Linux distros any user program can see almost any event, yes including key presses, by reading from the right /dev/... file. This is not surprising. The desktop Linux community reacted with hostility to the well funded security efforts (selinux, apparmor, grsecurity, etc) |
| |
| ▲ | necovek an hour ago | parent | next [-] | | Do you have any source for that claim? That would be a pretty serious security issue even unrelated to any security hardening (eg. on a multi-user system, one user could read out the password from another user — even with desktop usage, second user could be SSHed in). As a datapoint, everything in /dev/input/* is owned by root:input on my Debian Bookworm install, and my main user is not a member of the "input" group either. Biggest problem with most security hardening for Linux desktop is that it breaks the natural usage pattern: I store my files by their content, not by their format (eg. I might have a folder for my project containing image files, spreadsheets, FreeCAD files, maybe even some code or TeX/ODF files). If programs are restricted to access the entirety of my $HOME though, there is not much benefit to that protection since that's where my most valuable data is. If they are restricted to per-program folder, I need to start organizing my data differently and unnaturally. Android mostly does not use the "files" metaphor and basically does exactly that (per-app data): coming up with a security model and file management UX that does both is where the challenge is. | |
| ▲ | horsawlarway 2 hours ago | parent | prev [-] | | Security is a tradeoff (fucking always...) It's the same reason I choose to keep my front door unlocked basically all the time - I know my neighborhood, the risk is really low and the convenience is high. Further... practically everyone agrees that they don't need bank vaults as front doors. It makes zero practical sense: The cost is incredibly high, and the convenience is very low. There are ALL sorts of wonderfully cool things you can do on a system where applications are allowed to trust each other, and the system is permissive by default. You can customize behavior more easily, you can extend software more easily, you can add incredibly detailed & functional accessibility support, you can create incredibly powerful macros and commands. This is so important that fundamental OS design from the early 90s actually prioritized and catered to exactly this style of open, trusted, platform (ex - all of COM in windows...). This is what made personal computing a reality... All of those fall flat when you try to impose "well funded" security efforts. Those efforts have a place, in the same way that bank vaults have a place. Whether that place is a personal computer is a different question. Implying those folks are hostile for no reason is... at best a woeful misunderstanding of the situation, and at worst a malicious mischaracterization. |
|
|
| ▲ | necovek 2 hours ago | parent | prev | next [-] |
| Flatpak and Snaps are built to solve this. They do conflict with some expectations from users to be able to play around with things, though, so they do not have the penetration one might want. |
| |
| ▲ | cosmic_cheese 2 hours ago | parent | next [-] | | They only cover the user-facing app part of the story. The rest of the system needs isolation and safeguards, too, including things like the desktop environment and whatever random daemon. A solution that's integral to the system and not just loosely taped on is required. | |
| ▲ | NewJazz an hour ago | parent | prev [-] | | Flatpak provides very weak sandboxing compared to android. It was more about packaging and distribution than security. |
|
|
| ▲ | gspr 2 hours ago | parent | prev [-] |
| Aren't all the necessary pieces for something better essentially in place now that unprivileged namespaces are well-established? They've for sure had more than their fair share of security issues, but those are bugs, not fundamental design problems as far as I understand? |
