undefined | Better HN

0 pointsneop1x4d ago0 comments

For linux we have bubblewrap, firejail, apparmor and selinux (popular ones, there are far more). But it is often complicated and annoying to set up. Normally one would expect sw developers would write security rules for their apps but it is difficult due to amount of different sandboxing tools and various distro-specific configuration changes.

It would be nice to have it sorted out somehow. Actually Snap is an interesting example of something done in that regard.

0 comments

AlienRobot4d ago

Yes, and I wish Linux developers would see their own hypocrisy.

Linux users love to say that "fragmentation is good" but they also depend fully on root, sudo, users/groups, and RWX file permissions. Those are "standards" enforced by having only 1 way of doing something, the kernel.

skydhash3d ago

Don’t forget that Linux is Unix inspired. And unix were meant to be used on servers and mainframe where root were used by a trained sysadmin. Users were not meant to install applications, and their actions has little impact on the system integrity (if they’re not actively attacking it)

But now with PC, you are root on your local machine, and some abuse that power without even knowing what it entails. You could easily sandbox npm, by creating a user for your js dev persona. But that’s not convenient, so no one does it.

nurple4d ago

Don't forget user accounts!

j / k navigate · click thread line to collapse