this post was submitted on 06 Nov 2023
548 points (94.6% liked)

Linux

48329 readers
764 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] Spectacle8011@lemmy.comfysnug.space 61 points 1 year ago (4 children)

What really needs to happen:

Flatpak packages should ask for every permission they need, and the user needs to approve every one of them.

Right now, we have this weird in-between state where some flatpak packages ship with limited permissions (like Bottles). That's because every permission the package asks for is immediately granted. The user doesn't get a chance to refuse these requests. This current model serves to make life more difficult for non-malicious flatpak packagers while failing to protect users from malicious packages.

Also, GNOME needs a Flatpak permissions center like KDE. You shouldn't need to install a third party program to manage permissions.

[–] JoYo@lemmy.ml 20 points 1 year ago

it’s weird that android and ios already provide this but THE container standard doesn’t

[–] miss_brainfart@lemmy.ml 15 points 1 year ago (1 children)

Absolutely, permissions should be disabled by default, and only when the app needs to do something that requires a certain permission should it ask for it.

Maybe even do something like Android, where permissions automatically get revoked if you don't use an app for a certain time. I love that feature.

[–] oldfart@lemm.ee 2 points 1 year ago* (last edited 1 year ago) (1 children)

It's the first time I hear someone praise Android messing with user's settings. Care to elaborate why you like it?

[–] miss_brainfart@lemmy.ml 4 points 1 year ago (1 children)

There is very little reason any app should keep its permissions if you never actually use it, is there?

Especially when most people use apps that phone home every last piece of data they give them access to.

[–] oldfart@lemm.ee 3 points 1 year ago (1 children)

I don't agree but I see your point, that would certainly be useful to some people. Thank you for explaining.

[–] miss_brainfart@lemmy.ml 1 points 1 year ago

I think it's enabled by default, but you can also just disable it for specific apps.

But if you leave it enabled and permissions get revoked after a while, you'll get a notification telling you about it. I think that's fair.

There's always going to be a debate on whether something like this should be opt-in or opt-out, but for the purpose of privacy and data security, it makes sense to be on by default, I reckon.

[–] fossisfun@lemmy.ml 8 points 1 year ago (1 children)

I've tried to combat this a bit with a global Flatpak override that takes unnecessarily broad permissions away by default, like filesystem=home, but apps could easily circumvent it by requesting permissions for specific subdirectories. This cat-and-mouse game could be fixed by allowing a recursive override, such as nofilesystem=home/*.

But even then, there is still the issue with D-Bus access, which is even more difficult to control ...

I think it is sad that Flatpak finally provides the tool to restrict desktop apps in the same way that mobile apps have been restricted for a decade, but the implementation chooses to be insecure by default and only provides limited options to make it secure by default.

[–] TeryVeneno@lemmy.ml 1 points 1 year ago

I think the main reason why the implementation is insecure by default is simply because when it started most applications did not use portals and many portals we have today did not exist. You had to poke holes in the sandbox to make anything work cause all applications expected to run unconstrained. In the future as more apps become flatpak aware this should stop being an issue.

[–] anon5621@lemmy.ml 3 points 1 year ago (1 children)
[–] Spectacle8011@lemmy.comfysnug.space 2 points 1 year ago* (last edited 1 year ago)

I don't doubt it, but this is a good place to start.

This claim has interesting phrasing:

Adding X11 sandboxing via a nested X11 server, such as Xpra, would not be difficult, but Flatpak developers refuse to acknowledge this and continue to claim, "X11 is impossible to secure".

If you look at the GNOME post, you'll see they haven't argued against including a nested X server at all:

Now that the basics are working it’s time to start looking at how to create a real sandbox. This is going to require a lot of changes to the Linux stack. For instance, we have to use Wayland instead of X11, because X11 is impossible to secure.

I'm not saying they haven't refused to acknowledge this elsewhere, but it's strange to point to this blog post which acknowledges that the sandbox is very much a work-in-progress and agrees with Madaidan that X11 is hard to secure.

Does Xpra provide better sandboxing than XWayland? If not, I think the Flatpak developer's solution to this is: just use Wayland. And obviously, there's plenty of room to improve with the permissions Flatpak does offer.

I did some searching on the Flatpak Github for issues and found that you can actually use Xpra with Flatpak, and the answer is "just use Wayland":


This is also concerning:

As odd as this may sound, you should not enable (blind) unattended updates of Flatpak packages. If you or a Flatpak frontend (app store) simply executes flatpak update -y, Flatpaks will be automatically granted any new permissions declared upstream without notifying you. Using automatic update with GNOME Software is fine, as it does not automatically update Flatpaks with permission changes and notifies the user instead.

Source: https://privsec.dev/posts/linux/desktop-linux-hardening/#flatpak

It's great that GNOME Software notifies you when permissions change! I don't use Flatpak enough to know, but I hope flatpak update notifies you too if you don't use the -y option.