Ask HN: How secure is desktop Linux? Is it stuck in the nineties?
When I switched from Windows XP to Linux, it was considered the more secure OS. On Windows, users were still running with admin rights by default.
I've used CrunchBang Linux, Lubuntu and Linux Mint since then, and while the security of dominant consumer OSes—now Android and iOS—has improved significantly in the past 15 years, not much seems to have changed on desktop Linux.
Where on my smartphone I can grant an app access to only the one photo I need it to have access to, on Linux, for all I know every program that is running under my user account may have uploaded all of my personal files to a malicious actor a thousand times over.
Where on my smartphone I can deny an app access to my location, on my laptop any application can easily get my external IP address and a list of wifi access points and bluetooth devices.
I read Windows and MacOS have adapted to the age of always online computers as well. Why are Linux distros not keeping up and applying the principle of least privilege?
A lot of sandboxing ability is there (LSMs, virtualization, namespaces, firejail, bubblewrap, xdg-desktop-portals...), but it's not so well integrated, many applications haven't been written with it in mind and you'll basically have to set it up yourself. It's definitely the future though!
Linux desktop users prefer open source apps that don't have commercial incentive to upload your personal data. Under X11 it is even possible to intercept input to any application, however this is no longer he case in Wayland. It is possible to do complete isolation, but most people don't bother yet.
I always thought part of the point of open source is that the code is auditable so you can see if anyone does anything nasty. That obviously doesn't mean you can grok the code of all that you use but at least the community may in theory be able to. If you're installing software you don't trust, then in my opinion you've already lost most of the battle.
That said, I would think mandatory access control via SELinux could do a lot of what you're suggesting, though I've only ever really tangled with it on servers, not consumer/desktop type computing. I think in that sense, Linux actually got a lot of security features before Apple/Microsoft.
It's not the point of open source, but it is an argument in favor. It's also been pretty thoroughly debunked. Vulnerabilities rates are comparable between open source and proprietary software.
Very little open source code is carefully audited, and the availability of source code also benefits bad actors.
I'm a huge proponent of open source, but security just isn't a strong argument.
> I always thought part of the point of open source is that the code is auditable
Yes, it's theoretically true but doesn't actually occur in practice - largely because open source rarely sits still long enough for people to actually have the capacity to audit. From my vantage point, that capacity is consumed by addressing known bugs and issues, and the never ending feature adding and adaptation to changing whims of the developer community.
For example, the most recent high profile event w/ xz wasn't due to an audit but a lucky event of someone noticing something weird that caused an audit AFTER the weirdness was noticed. Had nobody noticed the weirdness, it's not likely any auditing would have occurred to notice it.
There is certainly a benefit to open source from transparency that allows such scrutiny when something weird happens. Had that code been closed source, it's very likely nobody would have been able to figure out what was going on nearly as fast.
The technology is there, but Linux desktop lags behind in making use of it.
ChromeOS and android take something like Gentoo Linux, enforce SeLinux and sandbox the applications. In Linux, there is SeLinux and AppArmor but few apps have profiles and properly contained by default.
> Where on my smartphone I can grant an app access to only the one photo I need it to have access to, on Linux, for all I know every program that is running under my user account may have uploaded all of my personal files to a malicious actor a thousand times over.
Flatpak
> Where on my smartphone I can deny an app access to my location, on my laptop any application can easily get my external IP address and a list of wifi access points and bluetooth devices.
Flatpak
> Why are Linux distros not keeping up and applying the principle of least privilege?
They're keeping up just fine?
Can you point to any kind of write-up (or video or audio) from an expert on security who has examined Flatpak?
I always though that Flatpak's security properties rely on Linux container tech and that it is pretty easy for an attacker to break out of a Linux container (which is why Qubes uses VMs and why public cloud providers use VMs).
Flatpak and the containering programs(docker, podman, ...) use the apis of the kernel to prevent access to your files, this is already used by firefox to prevent that javascript accessing data it shouldn't. Additionally SELinux or Apparmor can limit access from services to your files, Android uses SELinux, unprivileged users and binder to isolate apps.
run mighy-snitch[1] and you’ll be a little more secure.
aside from mandatory access control, for which there isn’t a usable solution for the typical desktop setup, monitoring network access attempts is as good as it gets.
you’ll be surprised how often everything is trying to phone home. firefox is particularly chatty to mozilla endpoints.
i tried to get filesystem filtering working via this same lsm, but couldn’t get it to work well enough. haven’t made another attempt since. definitely should work. hope to revisit or setup a bounty for it someday.
1. https://github.com/nathants/mighty-snitch
Ubuntu Core, all-snap and immutable , is coming, perhaps this October.
if you install firejail then it behaves as bad as the newer things you describe (that is, most programs are started by a symlink to firejail which then starts that program in a restricted env... namespace, cap drop, apparmor, etc... but it's finicky and easy to bypass by user even by mistake, again, just like the alternatives you list)
Linux still requires you to read. arch have the best non condescending docs.
Bubblewrap is not that difficult.
bubblewrap is just a simpler than either firejail/apparmor, both in usability and effectiveness. But yes, it is much better designed than firejail which is just a disaster full of silent footguns.
Search for Flatpaks.
Linux desktop user here, and you ask a very good question which frustrates me to no end.
You are 100% correct, everything which is executed with your login user users rights, can happily upload everything from your home to some random servers or exfiltrate information in other ways.
That Open Source solves the problem because the source code is available shows a blatant misunderstanding of the software supply chain, software supply chain attacks and the economics of Open Source. (e.g. the code you see on gitlab or github does not have to have any resemblance to the code your binary was build with, even if the code you see was used you don't know about compiler backdoors etc.) Further, all Open Source projects/distributions are understaffed and bad payed unless we speak about server Linux which is another story.
Why does Linux not keep up? IMHO several reasons
- There is no money in Linux desktops (Seeing how MacOS/Windows try to upsell users with every second click should give you an idea how bad the situation with Linux market share is
- People with the security and programming skills are quite senior and in high demand of companies (or running OpenBSD :-P)
- The Linux community is one of the most toxic/opinionated community in IT, so every Open Source initiative will have to fight for years an uphill battle (Look at Flatpak/SNAP, all the discussions/misunderstandings and crazy ideas people have)
- For servers we have SELinux and AppArmor, which could in theory also work for Linux desktops, but even for a security affine Linux user like myself it is too cumbersome/complicated to setup/maintain, outside of enabling it for browsers and other highly exposed programs
- Whenever I submit a patch/PR for an Open Source project which affects me on Debian, the maintainers literally beg me to take care of maintenance or at least Debian packages. I cannot even understand how illusional people are who want every software on earth as a native package for their variant of Linux of the week. We are far beyond the breaking point and the only people not seeing this are not contributing to Open Source, but complaining very loud and visible in online forums. Flatpak/SNAP are the only solutions we have if you want up to date software which was build from the original authors. (Remember the time a Debian maintainer broke SSH keys? Yeah, I do.) Especially security relevant software must be build by the authors and not some random maintainers who might or might not have a clue what they are doing.
There might still be a bright future for Linux desktop security, IMHO it depends on immutable systems/flatpak/SNAP. Given the current adaption rate and BS discussions, I expect around 2040 we will be there with a broken implementation and not ready for next generations exploits. :-P
[dead]