Hacker News new | ask | show | jobs
by nehal3m 1067 days ago
The first article links to this [1]:

Almost all popular applications on flathub come with filesystem=host, filesystem=home or device=all permissions, that is, write permissions to the user home directory (and more), this effectively means that all it takes to "escape the sandbox" is echo download_and_execute_evil >> ~/.bashrc. That's it.

This includes Gimp, VSCode, PyCharm, Octave, Inkscape, Steam, Audacity, VLC, ...

To make matters worse, the users are misled to believe the apps run sandboxed. For all these apps flatpak shows a reassuring "sandbox" icon when installing the app (things do not get much better even when installing in the command line - you need to know flatpak internals to understand the warnings).

[1] https://flatkill.org
1 comments
ragequitta 1067 days ago
I guess I just don't buy it completely. Given that I myself have had a hard time giving permission to Flatpak to access even an unimportant network drive (Flatseal is a godsend for giving/denying permissions in any way you please) while the same app on windows will happily write anything to C:\Windows\System32 , I feel like we're talking about entirely different beasts. But perhaps I'm naive. I also feel like there would be a very large vested interest in making people feel more unsafe in linux than they do in Windows/MacOS for obvious reasons.

And given that the version of Fedora I use is immutable and even I have a hard time messing with it to the point of pain/exploit with full access to the system (and I've tried for fun in VMs) I feel like a trusted flatpak app I download from a trusted source is going to have a damn near impossible time doing much of anything. While I feel like a simple website hack that serves me a bad .exe could/would cripple every single file it can find on my network on a Windows machine.

link
jrm4 1067 days ago
You're right. I'm entirely unconvinced by anyone in this thread on that Linux isn't still WAY safer all around.

You can come up with theoretical threats all day that Linux is susceptible to, sure.

But at the end of the day, there is not a single serious cloud company (or just about any tech company that isn't MS) genuinely looking at "we should switch to Windows or MacOS for the backbone of our company," And it's Linux that gets the downstream security that comes with that.

Whole lotta cope in this thread.

link