Announcement

Collapse
No announcement yet.

Better Flatpak Support For Firefox Appears To Be Coming

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Originally posted by starshipeleven View Post
    Root can also override the sandboxing settings specified in the application manifest with "flatpak override" (both to harden it more or to relax the permissions)
    Then all your rudeness and vulgar/condescending misquoting is for nothing-- when I said:

    Alright, we've now established that mechanisms to disable the sandbox should be on the user configuration side, not the package configuration side.
    All I meant was that the user should be able to "override the sandboxing settings specified in the application manifest"

    I certainly didn't mean that it's a problem if you have to become root first. I mean there's a history there, you have to be root to change the permissions (or contents) of files in /usr/bin, eh?

    Everything you said really seemed to imply that

    1. no such thing was possible

    2. even if it were possible, it would be terrible security

    It's possible as root? No problem, then! You were misunderstood, the claims two people took issue with-- you didn't make, apparently. Hooray.

    Comment


    • #32
      Originally posted by fsfhfc2018 View Post
      Then all your rudeness and vulgar/condescending misquoting is for nothing
      Nah, you are the one that started trolling and stating bullshit about Red Hat and fabois. If you just asked directly, I would have just answered without trolling you back.

      All I meant was that the user should be able to "override the sandboxing settings specified in the application manifest"
      What you wrote is only loosely related, and I guess also what I said was not clear enough. I was thingking you were opposing the principles behind the "all untrusted" security model.

      You said
      The future doesn't actually require sandboxing to be something the user can't turn off.
      and
      mechanisms to disable the sandbox should be on the user configuration side

      Yes the sandboxing can be turned off but it's not something that a user will be able to do easily, you need to know enough about Flatpak (and Linux) to know what you need to do. It's not like an ON/OFF switch that any primate can operate. The "easy switches" are the Portal system, described above, which is limited in scope and mimicks Android permissions.

      This still means most users won't be able to disable the sandbox, and reserves this ability to developers and tinkerers, forcing application developers to support some form of sandboxing with their application if they want to ship a flatpak.

      Comment


      • #33
        Do I understand it right that the "sandbox" permits full read-write access to the user home directory?

        Comment


        • #34
          Originally posted by starshipeleven View Post
          wtf are you talking about?
          1. Root has full access to the application and it's sandbox even if it's in a flatpak (they are some folder structure somewhere in the disk, I don't recall at the moment).
          2. Root can also override the sandboxing settings specified in the application manifest with "flatpak override" (both to harden it more or to relax the permissions) http://docs.flatpak.org/en/latest/fl...atpak-override

          Of course this requires that root has any understanding of Flatpak first.

          Yes it is your imagination.
          Flatpaks are stored in /var/lib/flatpak and their files can be modified by root (although a Flatpak update would remove any mods). This is how Spotify mods still works on the Flatpak. You can also install apps to the users folder which puts them in ~/.local/share/flatpak (the location makes no sense).

          In contrast, Snap doesn't let you modify applications.

          Comment


          • #35
            Originally posted by starshipeleven View Post
            Like it or not, that's the only decent way for the future.
            Layer on top of layer on top of layer on top of layer.

            Comment


            • #36
              Originally posted by tildearrow View Post

              Layer on top of layer on top of layer on top of layer.
              MORE ABSTRACTION FOR THE ABSTRACTION GOD!!!

              Ahem. On a more serious note, it's basically a container, which is less mindbogglingly stupid than doing a full VM (which is what I have to do way too many times at work) so there is that.

              But yeah, the current OS design is starting to show its age, Flatpak and containers are a bandaid. A true solution is a through redesign of the OS/applications concept.
              Last edited by starshipeleven; 09-13-2019, 02:41 PM.

              Comment


              • #37
                Originally posted by binjanurich View Post
                Do I understand it right that the "sandbox" permits full read-write access to the user home directory?
                It depends. You can give a sandboxed app that access, however, you don't have to.

                Imagine a sandboxed Acrobat Reader. You could give it read/write access to $HOME, but revoke network access.

                For Spotify it's the other way around.

                Comment

                Working...
                X