Basically

  • Sandboxing is bad, bubblewrap (used in Flatpak) is a really good implementation though. Firefox and other apps are not very well sandboxed though
  • The kernel is endangered through user namespaces (used in Flatpak and Podman/Docker containers i.e. in Distrobox and Toolbox too)
  • the root password can be extracted veeery easily, especially when entering it through a terminal. Windows “okay” button might actually be more secure!
  • X11 is insecure, okay we know that
  • the kernel is very bloated and everything in there has all the permissions, which is not needed
  • Kernel bugs are often not fixed quickly or at all
  • Stable Distros are insecure if only CVE bugs are backported, as many security bugs dont get a CVE

I am currently experimenting with the hardened Kernel and hardened_malloc, I use GrapheneOS since over a year.

On Linux its a bit more difficult though, as Flatpak and Distrobox dont work anymore.

This would mean user namespaces need to be enabled again, which I can’t seem to make work with

sudo sysctl -w kernel.unprivileged_users_clone=1

But the file doesnt exist and creating it doesnt work, probably needs to be a karg or something?

I am testing all this using the hardened mod of Ublue (a slight Fedora deviation using its image-based distribution model):

https://github.com/qoijjj/hardened-images

The images are rather opinionated though and have things like Flatpak removed, making them nearly unusable.

Maybe nix is a solution? Would this be a good idea?

Another point, bubblejail is not yet in the Fedora repos, which would be a way to make secure sandboxing accessible. Here is a spec file from rusty-snake.

What do you know about this?

    • I remember reading there, when it wasn’t on github pages but it’s own website, the recommendation to keep your critical dotfiles permissioned to a different user account of yours. I don’t think that’s bad advice. Yes it is probably not needed if you use the system as a pro sysadmin for server purposes, but for desktop use it’s just natural that you’ll run a lot more programs in a much less controlled manner.

      Of course there were ones that I thought they went overboard, but it has at least a few good pieces, if not more, I don’t really remember.

  • @GustavoM@lemmy.world
    link
    fedilink
    English
    31 year ago

    Not really relevant, but I’ve got a “rule of thumb” for all security-related issues;

    “If it doesn’t nuke my PC, then I’m good. If it does, then I’m still good since backups and logs exist, and if it was related to the latest seucirty issue? Then I make a quick patch and/or update. Then back to 1.”