Announcement

Collapse
No announcement yet.

Ubuntu Snap's Security Is Easily Circumvented Due To X11

Collapse
X
Collapse
 
  • Page of 6
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 4 5 6 template Next
  • #41
    Originally posted by sarmad View Post
    What does a package manager have to do with security anyway? I thought snappy is about preventing conflicts between packages, not increasing system security.
    If the package manager puts the applications it installs inside containers that are effective sandboxes, keeps the static files read-only through these containers and puts all the stuff of an application in a place that CANNOT be reached from outside... it increases security.

    In this case, security is increased mosly by doing the same things that it is already doing to prevent conflicts.

    Ignoring for a moment x11's issues that will not be an issue anymore in the near-future.

    Originally posted by pal666 View Post
    it is the most popular one, so it is the other way around. everything else is alien
    Changing point of view does not change facts.

    Comment

    • #42
      What a load of bullshit. If you install untrusted apps you are pwned anyway, and you could run these as untrusted clients in X11.
      • Likes 1

      Comment

      • #43
        Originally posted by starshipeleven View Post
        Changing point of view does not change facts.
        fact is linux is inherently strong against malware

        Comment

        • #44
          Originally posted by pal666 View Post
          fact is linux is inherently strong against malware
          Stop these oversimplifications goddamnit.

          linux is a kernel, malware must blow through userspace first.

          linux desktop userspace... isn't terribly strong against malware. No SELinux, / is rw, x11 is crap, and so on.

          Android userspace is pretty damn strong and locked down. full SELinux enforcing, / is ro, there is no x11, and so on.
          • Likes 1

          Comment

          • #45
            Originally posted by starshipeleven View Post
            linux desktop userspace... isn't terribly strong against malware. No SELinux,
            you are using wrong linux. my linux has "full SELinux enforcing"
            Originally posted by starshipeleven View Post
            / is rw,
            only by root. don't run malware as root
            Originally posted by starshipeleven View Post
            x11 is crap
            x11 is not linux. it is older than linux. and it is crap only if you run malware on same x server. run in on separate x server under separate user. or use wayland and xdg-apps.
            Originally posted by starshipeleven View Post
            , and so on.
            and so on
            Last edited by pal666; 23 April 2016, 09:47 PM.

            Comment

            • #46
              Good reminder, but the security issues have been pointed out by the developers themselves. It's not something that has been revealed by Mr. Garrett. Snaps are still much safer than using debs from a PPA, when snaps can be used as a replacement.

              A common misconception about snaps, is that they have to package their dependencies independently. That's not the case. You should still depend on system libraries whenever you can or at least when it's reasonable. There are lots of examples of apps that would benefit from easier updates to the user and doesn't need to change any system libraries in order to improve. Here, snaps simply provide rootless updates.
              • Likes 2

              Comment

              • #47
                Originally posted by pal666 View Post
                you are using wrong linux. my linux has "full SELinux enforcing"
                Mine too, point is, SELinux enforces rules, and these rules aren't terribly strict in most distros (RHEL and derivatives excluded, dunno about Novell stuff but it probably the same as Red Hat's).

                Ubuntu is using Apparmor, and the same applies, general settings.

                On servers it is another thing of course.

                On Android, it varies, but it is usually more locked down than desktops.

                only by root. don't run malware as root
                yeah, and the system image is signed and if there is tampering the bootloader does not allow it to boot (some devices, HTC I think), and/or any OTA update on a compromised/tampered device renders the device unbootable as it is done at the block level and not at the file level (Samsung).

                x11 is not linux. it is older than linux.
                no duh, x11 is graphic server, linux is kernel. x11 is part of linux desktop userspace.

                and it is crap only if you run malware on same x server. run in on separate x server under separate user.
                Distros don't do that usually, there is only one x11 running.


                Comment

                • #48
                  Gotta side with starshipeleven on that one (I didn't think I'd ever honestly utter these words. Gee!)
                  If Android is GNU/Linux, then so is Windows.

                  Desktop GNU/Linux has almost nothing in common with Android. Starting from the very fact that Android doesn't even use the GNU userspace.
                  The display server is different. Most of the APIs are custom and the apps run inside a special runtime anyways.

                  A kernel an OS does not make.
                  • Likes 1

                  Comment

                  • #49
                    Originally posted by sarmad View Post
                    What does a package manager have to do with security anyway? I thought snappy is about preventing conflicts between packages, not increasing system security.
                    You do know different versions of libraries usually have different sets of security vulnerabilities, right? Snappy is primarily about hard-freezing your libraries to a version with an eventually known set of security vulnerabilities rather than having what your distro has which is basically a partially known set of security vulnerabilities

                    Comment

                    • #50
                      Originally posted by jo-erlend View Post
                      Good reminder, but the security issues have been pointed out by the developers themselves. It's not something that has been revealed by Mr. Garrett. Snaps are still much safer than using debs from a PPA, when snaps can be used as a replacement.

                      A common misconception about snaps, is that they have to package their dependencies independently. That's not the case. You should still depend on system libraries whenever you can or at least when it's reasonable. There are lots of examples of apps that would benefit from easier updates to the user and doesn't need to change any system libraries in order to improve. Here, snaps simply provide rootless updates.
                      No proprietary program through snaps is going not to ship its own dependencies. Companies typically only trust their own QA and if they don't internally test 1:1 with target system, it makes predicting software quality and amount of support calls really hard. This is why we should not have proprietary software on Linux in the first place

                      Comment

                      Previous 1 2 3 4 5 6 template Next
                      Working...
                      X