Announcement

Collapse
No announcement yet.

Ubuntu 24.10 To Enhance Snap Permissions Handling

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #41
    Originally posted by moonwalker View Post
    Our company actually develops a product based on Ubuntu, and Snap has been a major PITA for that. There are environments our product has to run in that don't have Internet access, yet still need to have regularly updated with any security fixes software, and Canonical has no solution for that right now other than selectively pulling specific packages from snap store and side-loading them into a standalone snap proxy instance. I've also heard Canonical claiming that shipping Firefox as a snap is Mozilla's requirement, but why does Mozilla then serve their own APT repo now? Either way, on my work laptop (where I run Ubuntu because our corp IT doesn't allow running Debian) I just have APT pin to set `snap` priority to -1, making sure it never gets installed once it is purged from the system.
    You should look into hosting an internal Flatpak repo instead, it's also easy to integrate Flatpak into your CI. It also comes with the benefit over system packages that it is guaranteed to work on all distros consistently (not just Ubuntu), even on exotic desktops like NixOS, or non-systemd and non-glibc distros. Plus if your customers want good security measures and least-privilege sandboxing, developing your app to target XDG portals is the easiest way into that (and is something you must do for all Linux apps nowadays regardless of company requirements). If it needs low-level system access outside the Flatpak sandbox, then for most cases you can use flatpak-spawn.
    Last edited by IverCoder; 12 September 2024, 07:19 AM.

    Comment


    • #42
      Originally posted by tesfabpel View Post

      Flatpak already has it. With Flatseal you can also manage it via a GUI app (without using the command line).
      Mmm... but if I get it right, that 'flatseal' program has nothing to do with this. That is only a manager of coarse permissions ("allow/deny access to the desktop folder", "allow/deny access to the Documents folder"...). This is different: here, when the snap tries to access a folder, it asks you what you want to do: allow it only now, allow it always, deny it now, deny it always... That allows for more fine-grained permissions.

      Comment


      • #43
        Originally posted by IverCoder View Post

        You should look into hosting an internal Flatpak repo instead, it's also easy to integrate Flatpak into your CI. It also comes with the benefit over system packages that it is guaranteed to work on all distros consistently (not just Ubuntu), even on exotic desktops like NixOS, or non-systemd and non-glibc distros. Plus if your customers want good security measures and least-privilege sandboxing, developing your app to target XDG portals is the easiest way into that (and is something you must do for all Linux apps nowadays regardless of company requirements). If it needs low-level system access outside the Flatpak sandbox, then for most cases you can use flatpak-spawn.
        Please read my posts. If you read them, you'll know the problem is not with hosting our own internally developed packages (APT does an admirable job there), but making sure the OS itself can stay up-to-date. I've already explained that just a little bit earlier in response to another person that misunderstood the very same post you just quoted. With the OS we have to use being Ubuntu, that means being stuck with whatever Canonical decided are the update delivery mechanisms, namely a combination of APT and Snap. Ripping that out and replacing it with Flatpak means making changes that are not sanctioned (and therefore unsupported) by Canonical, and if it is done only for the isolated environments that means having a special case instead of homogeneous solution, and that is always a maintenance nightmare. For a small team like ours and the scale we have to support that would be suicidal. And that's not even talking about breaking customers' expectations when they expect a product with Ubuntu that in practice doesn't behave like Ubuntu, using Flatpak instead of Snap.

        People, please, please don't get ahead of yourself suggesting solutions to other people's problems without first making 100% certain you actually understand what the problem is. It'll help you in your careers, and will save the frustration both to you for your solutions being dismissed, and to other people for not being heard. The same rule applies just as well outside of technical issues, in interpersonal relationships. If you're not 100% sure you're actually addressing the right problem - ask questions first, seek to understand. Please.

        Comment


        • #44
          Originally posted by royce View Post

          Total security is impossible. The most you can do is make it harder for hackers to break in. The methods you describe above are pretty exotic, and very hard to pull off, and impossible on many embedded systems because they lack the hardware you mention. So yes, air-gapping does offer an extra degree of security.
          His point was to go along with mine that airgapping alone is not the panacea, you still want to make sure the other aspects of your system are as secure as possible, because security is not an on/off switch, it's all about cost vs benefit, making things so difficult to hack as to match or exceed the potential value obtained in a successful hack. Considering the air-gapped systems often the ones with very high rewards for a successful hack (e.g., defense data, high tech research), people and especially state actors may still attempt to hack those.

          Comment


          • #45
            Agreed.

            Comment


            • #46
              Originally posted by krzyzowiec View Post

              They don't interrupt anything on Ubuntu. The way they work is that while you have the application open, it won't update, but then it will if you close it or reboot the system.
              Maybe on snaps it is like that, but not with system updates, system updates in general do not interrupt the workflow, but create inconsistency that can lead to crashes.
              For this reason nowadays offline updates or reboot in case among the updates there is the kernel, but still session reboot are encouraged.​

              Regardless, updates take away system resources and if I'm doing heavy work I don't want the system to update, also what's the problem with clicking on a button that says update after you've had the notification?

              Comment


              • #47
                Originally posted by qarium View Post
                there is a difference between linuxfoundation and ubuntu in case of linuxfoundation it is only money from microsoft but the managment is not in their hand..

                with ubuntu it is different the complete managment of ubuntu is in hand of these microsoft evil people.
                You think Ubuntu is managed by Microsoft?

                ROTFLMAO, now that's a good one.

                Unless of course you actually believe this, in which case it's really sad.

                Originally posted by qarium View Post
                you claim you have a cyber security university degree then please explain this to me:
                The company has decided not to extend these updates to its Ryzen 1000, 2000, and 3000 series processors or its Threadripper 1000 and 2000 models.

                you claim in your writing that it is impossible to hide a virus on my system who could survive a full disk format...
                i have a threadripper 1920X this means ZEN1 cpu architecture this means my cpu has the sinkclose vulnerability and zen1 and zen1+ and zen2 will never get a bios/uefi update with updated microcode.
                this means as soon as someone has root access at kernel level he can use sinkclose to install a virus who can in fact survive a full disk format.

                but you know what you talk here is older story it was about a vulnerability in the language pack of Firefox119
                it used a chain of vulnerability from firefox119 as entry point over a glibc root exploit to get root access at kernel level and then it used the LogoFAIL vulnerability to install a poisoned /boot/efi/logo.jpg to be able to install a virus who did in fact survive a full disk format.

                because of that story you sophisticles did post the poisoned link to the webserver who did this ity pretty sure my systems are trash and i have to buy a new system.

                sinkclose will never get patches of my threadripper 1920x system and i am pretty sure the attackers did know sinkclose as well means they did not only use LogoFAIL they of course installed a trojan horse by sinkclose as well.
                You know, sometimes i think this is just an elaborate troll on your part, but the sad thing is I have met people like you in real life that suffer from paranoia.

                I'm going to try and help you.

                Any time you get thoughts like the ones you just expressed, just tell yourself that you are not that important, no one cares about you and that in the grand scheme of things you are inconsequential.

                Attempt to apply some logic to the situation.

                If you really believe that a TR 1920X running a fully updated Fedora install can be compromised in the manner you describe, then why would you use either one of them, especially if you really believe that you are being targeted for being a dissenter?

                If you must use a computer why not make the attack vector as small as possible, buy a M3 iPad Pro or a Qualcomm powered laptop that runs LFS and be as safe as possible.

                Or don't use a computer at all.

                It just doesn't make any sense, if you really believe the scenario you have described then logically Fedora and AMD' TR would be the last thing you would want to use.

                Comment


                • #48
                  Originally posted by qarium View Post

                  their idea that a airgrapped system is secure is really naive.




                  wikipedia is full of hacks and possibilities to break the air-gap...

                  "Circumvention measures Since November 2013, scientists have shown that air gaps can be tricked using various methods. They can be overcome using covert acoustic networks.[3][4]
                  A computer's graphics card can also be used to generate a radio signal.[5]
                  The air gap can even be overcome by temperature changes.[6]
                  Information can also be spied on via GSM devices (such as mobile phones).[7]
                  Small amounts of data can also be transmitted using the noise of a hard disk read/write head[8]
                  Another point of attack is optical transmission via manipulated hard disk activity indicators or other LEDs that are visible from the outside[9] The processor of a PC can be used to emit radio waves.[10] Network cables can also be used to generate radio signals.[11]​"

                  how exactly can people claim that air gap alone is enough as security messurment and such systems do not need security updates...

                  if you can deliver security updates to air gap systems with .deb and .rpm and flatpak and the same task is not possible with snap then of course snap is a security disaster.
                  This is a glowing example of why the internet can be such a bad thing.

                  In the hands of someone with experience and no psychological issues knowledge is a good thing.

                  But in the hands of a person that suffers from paranoia, knowledge is a bad thing, especially when that person lacks the experience and formal education to understand the difference between theory and practical.

                  All the things you linked to above require a scenario that only exists in a lab setting.

                  A true airgapped system is in a room by itself, and the only people that use it are the people that are authorized to use it.

                  One of the supposed compromises requires the attacker to be within 3 meters, 10 feet, of the computer. If an unauthorized person is with 10 feet of an airgapped computer, you have bigger problems than the computer being hacked.

                  Everything you posted requires that security already be compromised, at which point the attacker can take whatever he wants.

                  Comment


                  • #49
                    Originally posted by moonwalker View Post

                    The reason I "decided to be so anal about the specific way of delivery" is one word - scale. It has to work at a very large scale, combined with potentially very stringent security requirements.​
                    Or you could have behaved like a normal person and understood that it was just an example of file sharing and thus realized that file sharing can be done via several different methods and for simplicity I just mentioned one since I was mistaken to believe that you would understand that it wasn't an exclusive list of ways to conduct file sharing. Instead you had to go the route of spewing insults and name calling.

                    Comment


                    • #50
                      Originally posted by Espionage724 View Post
                      I want stability with a desktop; Ubuntu provides that. Fedora's only interested in chasing upstream, which broke GNOME for me since F38 or F39, and still F40 last month.
                      FreeBSD's where it's at now without the nonsense of systemd as an init being able to leak past OS VPNs with its own DNS, and being able to make the decision to use Xorg without prejudice
                      you can have same desktop with debian or if you want it ubuntu based without snaps use: Pop! OS

                      ​i used debian for a desktop for decades its a lie that you need ubuntu for that.
                      Last edited by qarium; 12 September 2024, 07:41 PM.
                      Phantom circuit Sequence Reducer Dyslexia

                      Comment

                      Working...
                      X