

Sandboxed applications for Gnome, part 2 - catern
http://blogs.gnome.org/aday/2014/07/23/sandboxed-applications-for-gnome-part-2/

======
TD-Linux
I can't seem to comment on that blog, so I'll write my comment here.

I think this is absolutely a wonderful idea in general and needs to happen
soon. Once any program a Linux user is running is compromised, essentially the
whole machine is compromised. This is quite unfortunate.

My main complaint is the file chooser dialog. I would much rather see a
traditional file chooser - the arguments given for reinventing it don't hold
up. You can pass file descriptors between processes. If you want to select a
"cloud file", use fuse with some pretty integration, which is just how GNOME 3
does it right now.

------
yarrel
This is mobile app cargo culting. Running untrusted code on your phone is not
a good model for desktop software, particularly in UNIX.

~~~
weavejester
Where in the article does it advocate running untrusted code?

------
wfunction
Absolutely horrible idea. Linux users aren't exactly in desperate need of
protection from their computers.

~~~
catern
So, you run as root at all times? :)

~~~
wfunction
Yes? In fact I hate getting prompted for privileges/passwords/etc. I don't run
antimalware either, neither on Linux nor Windows (permanent admin there too).
I know what I'm doing when I'm working on the computer and I haven't gotten
malware in years.

~~~
weavejester
Even if you know what you're doing, do you know what your computer is doing?
In detail?

I have only the most general of ideas of what my computer is doing at any one
time. I know that the software I was using one year ago was riddled with
vulnerabilities that were undetected at the time. It seems foolish to assume
that the software I'm using now doesn't have similar issues.

I personally welcome anything that lowers my security risk. Sandboxing
applications seems a fantastic idea, if it can be done without unduly
affecting my workflow.

~~~
wfunction
> Even if you know what you're doing, do you know what your computer is doing?
> In detail?

It's just like a car. You don't have to know how your car's engine works to be
able to tell tell when your car isn't running like it's supposed to. As for my
computer, I know it in as much detail as I think is necessary for telling
whether or not the computer is "healthy", so yes. (See my response to the
other comment for more.)

~~~
weavejester
Your computer can be compromised without demonstrating any visible signs of
it. For example, a keylogging process takes minimal CPU and bandwidth
(especially if zipped and batched), and could be inserted by an unknown zero-
day vulnerability. It _might_ be caught by a IDS, but the long and short of it
is that there's simply no way of telling for sure whether or not a machine has
been compromised or not.

Security isn't an absolute; it's just a matter of how much risk you're willing
to allow for convenience. Ideally you make it hard enough to compromise your
machine that an attacker won't bother.

~~~
wfunction
> Your computer can be compromised without demonstrating any visible signs of
> it.

Yours can too. How do you know yours isn't?

~~~
weavejester
I don't. Absolute security is impossible, all I can do is take precautions
that minimise the risk. That's why sandboxing of apps seems a rather good
idea: it reduces the risk without adding much inconvenience to the user.

~~~
wfunction
> I don't. Absolute security is impossible

Yeah then why do you suddenly jump when I tell you the same thing? To the best
of my knowledge I don't have any malware, and to the best of your knowledge
you don't either. Seems pretty equal to me, yet somehow you freak out when I
say the same thing as you do. I'm pretty sure I'm _at least as certain as you
are_ that my system doesn't have any malware, so if that's not enough of an
assurance for you then it shouldn't be enough for you either.

~~~
weavejester
Because regarding the sandboxing of applications, you said:

> Absolutely horrible idea. Linux users aren't exactly in desperate need of
> protection from their computers.

If you agree that your system can be compromised, why would you say that an
extra layer of protection was a bad idea?

~~~
wfunction
Because I'm almost certain that it will cause some kind of inconvenience down
the road. It's unlikely to be "free" \-- no OS-level security feature I've
seen has been "free" in terms of convenience.

~~~
weavejester
Just off the top of my head, hard drive encryption is an OS-level security
feature that's reasonably "free" in terms of convenience.

But even if all previous efforts have failed, which I really don't think is
the case, trying to improve security is surely a laudable goal. And even if
_you_ would consider sandboxing to be inconvenient, there are plenty of people
who'd love to have something like that.

Right now, if I open up an application, I have no idea what directories it's
accessing or servers its communicating with. Forcing an app to tell me
whenever it wants to access something new would be fantastic, and as a side
effect, it would put pressure on application programmers to reduce the number
of privileges they ask for.

