| HN Mirror

I realized that this is an issue because the SSH documentation gives warning about this in the context of remote X11:

X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring.

but once you own a user in most any environment in practice getting keystrokes (or anything else associated with that user) isn't that hard. You really have to go further and explicitly sandbox a potentially malicious program.

Definitely. But I think the trust model has also changed over the years. We have gone from trusting a handful of well-vetted programs (10-15 years ago I primarily used a browser, Pine, CenterICQ and a handful of traditional UNIX utilities) to more and more programs that are all newer and typically connect to the net, embed browsers, etc. Consequently, we should trust our applications less.

As you say, you really have to sandbox each program. Apple has pushed this quite hard: applications have UI isolation and App Store applications are sandboxed. In the meanwhile, much of the Linux community has been outright hostile to this idea (except the SELinux, AppArmor, and systemd folks) because it builds walled gardens and applications are provided by trusted distributors anyway.

The reality is that people want to install applications outside what is provided in the distro repos. And perhaps, we don't even want to trust every possible application packaged in a distribution.

We should really go to a small and trusted core operating systems where everything else is sandboxed by default.