[TheBrokenRail]

Yeah, un-sandboxed programs can access all your user files. That's why there has been such a large push for sandboxing tech like Flatpak. (In general though, you really shouldn't be running programs you don't trust in anything but a VM.)

[the_af]

I understand the principle, but it seems too onerous on the end user.

What is a program you "trust"? Something you bought online from a curated app store? Those occasionally have trojans as well. Something you downloaded? Well, if it's open source, that's the norm. Something you build from source? Most people wouldn't be able to spot an exploit hidden in the source code.

So.. it's run everything sandboxed by default the recommendation for regular users? Or is it "do not download or buy anything, it's simply not safe"?

[Taywee]

I trust the maintainers of my distro software repositories. Any non-distro software, I want to audit before I install or it should be sandboxed.

And yes. The recommendation is to not just download and run programs you find on the web.

[the_af]

Unfortunately I think the option you propose (sandboxing) is unreasonable for most users. A lot of the software you want to run (e.g. games, but also lots of special software, including apps/experiments featured on HN) is not available as part of your distro. It's unreasonable to expect end users to sandbox everything just in case.

It may be the only think that works, but it's also an unreasonable expectation. In practice, this makes it a non-solution. A security solution must both work and be reasonably doable by most users.

[LarryMullins]

It doesn't have to be reasonable for most users. GNU/Linux in general isn't reasonable for most users.

[the_af]

But this problem isn't exclusive to Linux or Unix. It affects everyone using a computer (with the possible exception of mobiles that sandbox by default).

[Kamq]

Most users aren't on hacker news.

You should not confuse general wording, which is directed to people who read this website (by the fact that it's y'know posted here instead of somewhere else), with advice for the average person.

[the_af]

What percentage of HN readers do you guess sandbox every non-distro-packaged program by default? My guess: they probably are a minority even here, so it's a nonstarter for the general users population.

[Kamq]

> so it's a nonstarter for the general users population.

I agree. My point was that this point isn't important for a discussion on a niche site.

[TheBrokenRail]

> So.. it's run everything sandboxed by default the recommendation for regular users?

Yeah, that is probably the best solution. Most mobile OSes do that by default now anyways. Desktop Linux has Flatpaks and Snaps. Windows has UWP apps. And I think MacOS has its entitlements system IIRC.

If you don't absolutely trust somethibg, you shouldn't allow it to run unrestricted.

[the_af]

If the OS does this by default and it becomes the standard way of working, then sure. You would need to change how to share files you do want to share and solve some other hurdles, of course.

If this isn't the default node -- transparent, where end users must do nothing in particular -- I don't see it succeeding though.

[spoiler]

> I understand the principle, but it seems too onerous on the end user.

I agree that this is the state of affairs currently, but this could made to work similarly to how it works on Android perhaps, which has generally good UX for this.

[mkmk3]

Is running untrusted programs in a VM actually safe? Are they sufficiently secure that it's not trivial to escape one if that's the expected scenario?

[Karellen]

Absent unexpected security issues which are usually patched very quickly as soon as they are discovered by legitimate researchers/white-hats, it is non-trivial to escape one. You are not supposed to be able to escape a VM.

If someone's targetting you with a 0-day exploit that can escape VM sandboxing, having your ssh key hijacked is probably one of your lesser problems. :-/

(If someone has a VM-busting 0-day, they're probably using it in a targetted fashion. The wider that kind of thing is used, the quicker it will be noticed, and patched, and made useless.)