zlacker

MacOS has been getting a lot of flak recently for (correct) UI reasons, but I honestly feel like they're the closest to the money with granular app permissions.

Linux people are very resistant to this, but the future is going to be sandboxed iOS style apps. Not because OS vendors want to control what apps do, but because users do. If the FOSS community continues to ignore proper security sandboxing and distribution of end user applications, then it will just end up entirely centralised in one of the big tech companies, as it already is on iOS and macOS by Apple.

>>troad+(OP)
I'm sure that will contribute to the illusion of security, but in reality the system is thoroughly backdoored on every level from the CPU on up, and everyone knows it.

There is no such thing as computer security, in general, at this point in history.

>>troad+(OP)
Sand-boxing such as in Snap and Flatpak?

>>symaxi+w
Notoriously not actually secure, at least in the case of Flatpak. (Can't speak to Snap)

Not sure how something can be called a sandbox without the actual box part. As Siri is to AI, Flatpak is to sandboxes.

>>its_ma+l
> but in reality the system is thoroughly backdoored on every level from the CPU on up, and everyone knows it.

Indeed. Why lock your car door as anyone can unlock and steal it by learning lock-picking?

>>troad+(OP)
> getting a lot of slack recently

I think you mean a lot of flak? Slack would kind of be the opposite.

>>troad+81
The XDG portal standards being developed to provide permissions to apps (and allow users to manage them), including those installed via Flatpak, will continue to be useful if and when the sandboxing security of Flatpaks are improved. (In fact, having the frontend management part in place is kind of a prerequisite to really enforcing a lot of restrictions on apps, lest they just stop working suddenly.)

>>symaxi+w
Snap and Flatpak do both sandboxing and package management.

You can use the underlying sandboxing with bwrap. A good alternative is firejail. They are quite easy to use.

I prefer to centralize package management to my distro, but I value their sandboxing efforts.

Personally, I think it's time to take sandboxing seriously. Supply chain attacks keep happening. Defense is depth is the way.

>>its_ma+l
There's a subtlety that's missing here: if your threat model doesn't include the actors who can access those backdoors, then computer security isn't so bad these days.

That subtlety is important because it explains how the backdoors have snuck in — most people feel safe because they are not targeted, so there's no hue and cry.

>>jacobg+k1
Haha, yes, corrected. Thank you. I have a habit of fusing unrelated expressions.

>>troad+(OP)
It also has persistent permissions.

Think about it from a real world perspective.

I knock on your door. You invite me to sit with you in your living room. I can't easily sneak into your bed room. Further, your temporary access ends as soon as you exit my house.

The same should happen with apps.

When I run 'notepad dir1/file1.txt', the package should not sneakily be able to access dir2. Further, as soon as I exit the process, the permission to access dir1 should end as well.

>>ashish+a1
Residents of San Francisco ask themselves that question all the time.

>>troad+(OP)
I think we could get a lot further if we implement proper capability based security. Meaning that the authority to perform actions follows the objects around. I think that is how we get powerful tools and freedom, but still address the security issues and actually achieve the principle of least privilege.

For FreeBSD there is capsicum, but it seems a bit inflexible to me. Would love to see more experiments on Linux and the BSDs for this.

>>troad+81
Doesn't it use bwrap under the hood? what's wrong with that?

>>rectan+E1
The backdoors snuck in because literally everyone is being targeted. Few people ever see the impact of that themselves or understand the chain of events that brought those impacts about.

>>ashish+b2
A better example would be requiring the mailman to obtain written permission to step on your property every day. Convenience trumps maximal security for most people.

>>black_+Q3
Eli5, what is that supposed to mean?

>>Fergus+L4
Many apps require unnecessarily broad permissions with Flatpak. Unlike Android and iOS apps they weren't designed for environments with limited permissions.

>>lifeis+U8
I would configure mailman with permanent write access to the mailbox area

That's what I with my sandbox right now

>>h4x0rr+Na
The original model of computer security is "anything running on the machine can do and touch anything it wants to".

A slightly more advanced model, which is the default for OSes today, is to have a notion of a "user", and then you grant certain permissions to a user. For example, for something like Unix, you have the read/write/execute permissions on files that differ for each user. The security mentioned above just involves defining more such permissions than were historically provided by Unix.

But the holy grail of security models is called "capability-based security", which is above and beyond what any current popular OS provides. Rather than the current model which just involves talking about what a process can do (the verbs of the system), a capability involves taking about what a process can do an operation on (the nouns of the system). A "capability" is an unforgeable cryptographic token, managed by the OS itself (sort of like how a typical OS tracks file handles), which grants access to a certain object.

Crucially, this then allows processes to delegate tasks to other processes in a secure way. Because tokens are cryptographically unforgeable, the only way that a process could have possibly gotten the permission to operate on a resource is if it were delegated that permission by some other process. And when delegating, processes can further lock down a capability, e.g. by turning it from read/write to read-only, or they can e.g. completely give up a capability and pass ownership to the other process, etc.

https://en.wikipedia.org/wiki/Capability-based_security

>>troad+(OP)
Yet we look at phones, and we see people accepting outrageous permissions for many apps: They might rely on snooping into you for ads, or anything else, and yet the apps sell, and have no problem staying in stores.

So when it's all said and done, I do not expect practical levels of actual isolation to be that great.

>>black_+Q3
Seems like a bad time to bring this up when it wouldn't have helped with this attack at all.

>>autoex+D5
And yet, many people perceive a difference between “getting hacked” and “not getting hacked” and believe that certain precautions materially affect whether or not they end up having to deal with a hacking event.

Are they wrong? Do gradations of vulnerability exist? Is there only one threat model, “you’re already screwed and nothing matters”?

>>black_+Q3
FreeBSD used to have an ELF target called "CloudABI" which used Capsicum by default. Parameters to a CloudABI program were passed in a YAML file to a launcher that acquired what was in practice the program's "entitlements"/"app permissions" as capabilities that it passed to the program when it started.

I had been thinking of a way to avoid the CloudABI launcher. The entitlements would instead be in the binary object file, and only reference command-line parameters and system paths. I have also thought of an elaborate scheme with local code signing to verify that only user/admin-approved entitlements get lifted to capabilities.

However, CloudABI got discontinued in favour of WebAssembly (and I got side-tracked...)

Redox is also moving towards having capabilities mapped to fd's, somewhat like Capsicum. Their recent presentation at FOSDEM: https://fosdem.org/2026/schedule/event/KSK9RB-capability-bas...

>>hibiki+fl
> Yet we look at phones, and we see people accepting outrageous permissions for many apps

The data doesn't support the suggestion that this is happening on any mass scale. When Apple made app tracking opt-in rather than opt-out in iOS 14 ("App Tracking Transparency"), 80-90% of users refused to give consent.

It does happen more when users are tricked (dare I say unlawfully defrauded?) into accepting, such as when installing Windows, when launching Edge for the first time, etc. This is why externally-imposed sandboxing is a superior model to Zuck's pinky promises.

>>troad+81
I assumed the primary feature of Flatpak was to make a “universal” package across all Linux platforms. The security side of things seems to be a secondary consideration. I assume that the security aspect is now a much higher priority.

>>hibiki+fl
For all its other problems, App Store review prevents a lot of this: you have to explain why your app needs entitlements A, B and C, and they will reject your update if they don't think your explanation is good enough. It's not a perfect system, but iOS applications don't actually do all that much snooping.

>>Noumen+Jl
A capability model wouldn't have prevented the compromised binary from being installed, but it would totally prevent that compromised binary from being able to read or write to any specific file (or any other system resource) that Notepad++ wouldn't have ordinarily had access to.

>>troad+(OP)
I intensely hate that a stupid application can modify .bashrc and permanently persist itself.

Sure, in theory, SELinux could prevent this. But seems like an uphill battle if my policies conflict with the distro’s. I’d also have to “absorb” their policies’ mental model first…

>>lifeis+U8
The early version of UAC in Windows did that…

Asking continuously is worse than not asking at all…

>>ashish+b2
> When I run 'notepad dir1/file1.txt', the package should not sneakily be able to access dir2.

What happens if the user presses ^O, expecting a file open dialog that could navigate to other directories? Would the dialog be somehow integrated to the OS and run with higher permissions, and then notepad is given permissions to the other directory that the user selects?

>>uzerfc+5G
Pretty sure that’s how it works on iOS. The app can only access its own sandboxed directory. If it wants anything else, it has to use a system provided file picker that provides a security scoped url for the selected file.

>>BobbyT+gA
Some of the stuff that I install is actually meant to behave like malware.

But fine lock windows down for normal users as long as I can still disable all the security. We don't need another Apple.

>>BobbyT+6A
I tend to think things like .bashrc or .zshrc are bad ideas anyways. Not that you asked but I think the simpler solution is to have those files be owned by root and not writable by the user. You're probably not modifying them that often anyways.

>>its_ma+l
I'm sure you're right; however, there is still a distinction between the state using my device against me and unaffiliated or foreign states using my device against me or more likely simply to generate cash for themselves.

It's still worth solving one of these problems.

>>troad+(OP)
> Linux people are very resistant to this

Because security people often does not know the balance between security and usability, and we end up with software that is crippled and annoying to use.

>>troad+(OP)
> Linux people are very resistant to this, but the future is going to be sandboxed iOS style apps.

Linux people are NOT resistant to this. Atomic desktops are picking up momentum and people are screaming for it. Snaps, flatpaks, appimages, etc. are all moving in that direction.

As for plain development, sadly, the OS developers are simply ignoring the people asking. See:

https://github.com/containers/toolbox/issues/183

https://github.com/containers/toolbox/issues/348

https://github.com/containers/toolbox/issues/1470

I'll leave it up to you to speculate why.

Perhaps getting a bit of black eye and some negative attention from the Great Orange Website(tm) can light a fire under some folks.

>>what+sJ
Yes, UIDocumentPickerViewController is 10+ years old at this point.

There’s also a similar photos picker (PHPicker) which is especially good from 2023 on. Signal uses this for instance.

>>what+sJ
It's also how it works on macOS and even on modern Windows if you are running sandboxed apps.

>>ashish+5d
With systemd or firejail it's quite easy to do this sort of thing on linux.

>>okanat+Nb
> Unlike Android

My experience with android apps seems to be different. Every other app seems to be asking for contacts or calling or access to files.

>>IsTom+jv1
You can usually deny those. If they ask for them without a good reason, that's already suspicious.

>>troad+(OP)
It's truly perverse that, at the same time that desktop systems are trying to lock down what trusted, conventional native apps can and cannot do and/or access, you have the Chrome team pushing out proposals to expand what browsers allow websites to do to the user's file system, like silently/arbitrarily reading and writing to the user's disk—gated only behind a "Are you sure you want to allow this? Y/N"-style dialog that, for extremely good reasons, anyone with any sense about design and interaction has strongly opposed for the last 20+ years.

>>troad+(OP)
Flatpak

>>troad+ho
In the case of iOS, the choice was to use the app with those permissions or without them, so of course people prefer to not opt-in - why would they?

But when the choice is between using the app with such spyware in it, or not using it at all, people do accept the outrageous permissions the spyware needs.

>>ashish+b2
Attempt at real life version (starts with idea they are actually not trustworthy)

  - You invite someone to sit in your living room
    - There must have been a reason to begin with (or why invite them at all)
    - Implied (at least limited) trust of whoever was invited
  - Access enabled and information gained heavily depends on house design
    - May have to walk past many rooms to finally reach the living room
    - Significant chances to look at everything in your house
    - Already allows skilled appraiser to evaluate your theft worthiness
  - Many techniques may allow further access to your house
    - Similar to digital version (leave something behind)
      - Small digital object accessing home network
      - "Sorry, I left something, mind if I search around?"
    - Longer con (advance to next stage of "friendship" / "relationship", implied trust)
      - "We should hang out again / have a cards night / go drinking together / ect..."
      - Flattery "Such a beautiful house, I like / am a fan of <madlibs>, could you show it to me?"
  - Already provides a survey of your home security
    - Do you lock your doors / windows?
    - What kind / brand / style do you have?
    - Do you tend to just leave stuff open?
    - Do you have onsite cameras or other features?
    - Do you easily just let anybody into your house who asks?
    - General cleanliness and attention to security issues

  - In the case of Notepad++, they would also be offering you a free product
    - Significant utility vs alternatives
    - Free
    - Highly recommended by many other "neighbors"
  - In the case of Notepad++, they themselves are not actively malicious (or at least not known to be)
    - Single developer
    - Apparently frazzled and overworked by the experience
    - Makes updates they can, yet also support a free product for millions.
    - It doesn't really work with the friend you invite in scenario (more like they sneezed in your living room or something)