Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Such sandboxes would only work well, if the whole OS would be built around supporting them.

You would essentially need Android or iOS for it to not be a pain in the ass

Nonetheless, in this year and age this should be the bare minimum from a security point of view.



The usual answer in Android is "you can't do that". The primary difference from my perspective is that developers for those platforms design with the limitations in mind. Stuff on linux often just breaks and requires involved workarounds if it wasn't intended by the developer to be stuffed into a flatpak. (And might not even compile under nix without half a dozen monkey patches to the build system, let alone run once built.)


I think developers of desktop application are generally open towards facilitating sandboxing though. Most applications use standard XDG folders for files, use standard toolkit file pickers, etc.

I don't have hard data, but my impression is that the general tendency in Flatpaks is that they are able to do more sandboxing over time. When Flatpak was new, a lot of applications pretty much required completely opening their sandboxes, the same applications have much more limited privileges nowadays.

It's a long process, but at least with desktop applications there is progress. Unfortunately, the same can't really be said about command-line tools and development tools (NPM, cargo, pip, editor plugins, etc.).


I'm not even sure what it would look like for CLI tools. Probably the sanboxing tools themselves need better controls and better UX for those controls.

For CLI a solution would probably look a lot like unshare or (a more user friendly version of) setcap. The user would need to reach out to the sandbox to communicate what additional things to permit during this specific session.

And then inevitably someone would configure the equivalent of passwordless sudo at which point I wonder what the point of the whole thing was to begin with. Related, we need a better paradigm for CLI to differentiate between user versus programmatically generated input. A program shouldn't be able to impersonate me unless I explicitly granted it some extremely unusual privileges.


> Such sandboxes would only work well, if the whole OS would be built around supporting them.

This. Which is why I'm using Qubes OS designed around sandboxing, and I can't recommend it enough.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: