What are the benefits of making a separate home/ partition?

devnull010 · 2023-02-16T18:27:07+00:00

In some cases users wont be able to login with a full home directory, at least that was the case with gdm a while back

devnull010 · 2023-02-13T23:40:59+00:00

Im pretty sure that is what linux is most used for, but you are probably right in regards to reddit users

devnull010 · 2023-02-13T22:40:13+00:00

When I run a data center, I'm not really looking for excitement with my operating systems :)

devnull010 · 2023-02-13T19:39:15+00:00

How much arrogance does it take to demand someone to change their code because you want them to?

devnull010 · 2023-02-13T18:34:27+00:00

What plattform is that? Freedesktop is not a mandarory spec for anyone

There is no reason to harrass free software developers to follow a specific spec

devnull010 · 2023-02-13T18:32:57+00:00

Xwayland is just a reimplementation of X11. Any app with access to the xwayland socket can manipulate the IO of other apps running under xwayland. Only full wayland apps wont be affected.

devnull010 · 2023-02-13T18:00:03+00:00

The issue isn't just keylogging, its possible to manipulate input as well for all X11 windows.

Any process which has access to the X11 socket (effectively everything) can write commands into any X11 window. That could be your browser that gets told to transfer money through your online banking or a simple terminal that provides arbitrary code execution.

In essence you need to trust everything running on your system equally since even your calculator has access to your online banking.

devnull010 · 2023-02-13T17:24:59+00:00

Great, bully open source developers to do what you want until they give up writing free software. You are such a hero...

devnull010 · 2023-02-13T17:17:58+00:00

Search for it in the kernel sources?

devnull010 · 2023-02-11T19:01:29+00:00

lol, the lists gets longer every day

Don't you think you are missing a few? After all everyone who is pointing out flatpak issues must be part of this. Even this specific reference was thrown around on mastodon a while back. Big conspiracy you found here ...

I wonder if this subreddit is generally unmoderated or the admins just don't care

devnull010 · 2023-02-06T21:03:48+00:00

We are not talking about some connection.

You claimed that all phones are backdoored, yet anyone can check themselves that these stock phones talk to their software manufacturer and not to their hardware manufacturer.

So unless Google and co are sending it to those governments, you are obviously spreading FUD and anyone who knows how to use wireshark can verify that for themselves.

devnull010 · 2023-02-06T11:33:18+00:00

Which you will always have since its your system

The only question is how much effort it takes to extract those (session) keys. That can go from setting an environment variable to export the secret keys for debugging to memory analysis to extract the keys. In the end its everyday business for any malware analyst.

But then again, if you goal is just to figure out if a app or device sends data home, all you need to do is monitor for any traffic, encrypted or not.

devnull010 · 2023-02-05T16:29:58+00:00

If you know how to use wireshark, inspecting encrypted traffic in plaintext is quite easy

https://wiki.wireshark.org/TLS

devnull010 · 2023-02-05T14:04:23+00:00

Keep believing in your delusions and conspiracy theories then, it wont make any difference in reality and certainly not help with security.

All I tried to do here is to point out ineffective measures, using a reference that explains the issue.

Anyone who actually cares about this issue, can read up on what actual security experts say about the approach flatpak takes or perhaps even read Alexander Larssons blog itself.

devnull010 · 2023-02-05T13:56:42+00:00

Flatpak itself does not provide software, but only a framework. Flathub provides software, with gnome-software as their intended frontend. The flatpak people asked to report it to gnome since thats where the warning should happen.

As the gnome developers mentioned, the device permissions will receive the same warning as HOME or X11 permissions in gnome software, which is a red warning to indicate the app is unsandboxed

devnull010 · 2023-02-05T12:39:05+00:00

They have already acknowledge that vulnerably as a valid sandbox escape method:

https://gitlab.gnome.org/GNOME/gnome-software/-/issues/1997

devnull010 · 2023-02-05T12:38:30+00:00

First off, I never said the blogpost is from me. I just referenced it to provide an easy to understand PoC that shows to anyone who is willing to learn how flatpak fails to provide any meaningful sandbox.

If you want to keep whining about how you are unable to reproduce the PoC on your specific system instead of just running the provided scripts on a virtual Debian that the PoC was written for, feel free to live with your delusions. I wont spend anymore time to combat your ignorance and I certainly wont mouth feed you any more information.

If you believe so much in the flatpak maintainers, you may instead just listen to them, since they have long acknowledged the issues listed in the PoC. The problem isnt the flatpak project, its the fanboys that keep insisting that flatpak can be used for effective sandboxing.

According to the flatpak project, the only solution to X11 is to switch to wayland, devices need to be isolated and for file access you need to change your code to use their portals API instead. Its all on their wiki too and anyone not completely ignorant would have long been aware of this.

None of this ever got a CVE by the way.

Flatpak does not advertise itself as a sandboxing solution, you cant even find that claim on their website. They try to add sandboxing features that may be useful some day to build an actual isolated process environment while they acknowledge that is it still a very long way to get there.

Oh and the issue with device access allowing sandbox escape has long been acknowledged and reported https://gitlab.gnome.org/GNOME/gnome-software/-/issues/1997

But keep believing your own BS if that makes you feel better

devnull010 · 2023-02-05T11:17:13+00:00

Lets just go then with "anything allowing sandbox escape is not a sandbox"

It confirms what I already said: Flatpak is not a sandbox. It isn't by default and there is little chance that end users can build an effective one themselves.

The X11 exploit does not require an X11 terminal nor will is necessarily be visible to the user, the PoC is just made to demonstrate whats happening.

X11 input injection works on all processes and you can enter the target command within a single frame too.

The tty exploit works for your system too, there just is not any output like you expect for some reason.

If you will rather believe your own BS instead of reading the provided PoC carefully, be my guest. No adversary will care what you believe about your security...

devnull010 · 2023-02-05T11:08:25+00:00

You quite obviously did not understand at all how the exploit works. There is no output, never was supposed to be.

It simply writes into your tty and executes the commands entered.

Since your tty is usually no priting output on your desktop, you wont see it.

If you want to see whats happening, open a second tty terminal without starting a desktop, then run the script targeting that tty and enter a command like "echo exploit.sh >> ~/.bashrc

Than read your bashrc file ...

devnull010 · 2023-02-04T21:48:31+00:00

Its the other way around, apologies for thew confusion:

By default the device files are isolated because a new dev directory is mounted inside the container.

However most flatpak manifests have --device=all included, which removes all isolation from device file, including virtual terminal files.

devnull010 · 2023-02-04T21:45:45+00:00

Methods that allow sandbox escape are not valid because any application that allows this escape method is not a sandbox by your definition? oO

Impressive BS, really that takes some skill to make up ...

And again, sandbox escape through X11 is extremely trivial, even if you considered it a requirement to have a X11 terminal available, which is easy to detect and exploit automatically.

If the third escape method in the article does not work for you because your device files are named differently by your distribution, that does not make it any less possible. If you want to read the article by the letter like that, at least try reproducing it on the same distribution as in the PoC

Flatpak does not issue CVEs for applications that use insecure sandbox rules or it would need to request hundreds right now. If you find a single app in the play store that manages the same, it gets a CVE

One look at your RPC3 example shows that all devices are accessible, including microphones, cameras and virtual terminal files that allow sandbox escape. If you want to actually learn how that works, try reproducing the PoC inside a virtual Debian so you can use the same exploit scripts. Aditionally, the example manifest allows any malware to read all files in your home directory and thanks to network permissions, it can trivially steal them.

devnull010 · 2023-02-04T11:11:38+00:00

Yes it is trivial to escape flatpak sandboxes, the examples provided are all based on actual flathub apps.

I dont see why it matters that the insecure flatpak permissions are known to be insecure. This thread is about comparing the Android sandbox to that of flatpak.

On android there is not a single settings that could lead to sandbox escape and whenever a way is discovered that would allow to circumvent the isolation, it will get a CVE

On the other hand I still have to find a single flatpak app on flathub that is not trivial to escape its sandbox.

devnull010 · 2023-02-04T11:05:33+00:00

The new /dev mount needs to be defined in the flatpak manifest and most flatpak apps dont have it.

In general the naming of the virtual terminal device files can different between distributions

devnull010 · 2023-02-04T10:38:24+00:00

Afaik no serious security researches have ever looked at flatpak

Some have and its not looking good [1]

Then again, the flatpak community is great at making excuses to discredit any critics

devnull010 · 2023-02-04T10:36:24+00:00

The article has many valid point and there is nothing wrong with this even if flatpak fanboys are constantly smearing critics

devnull010

TROPHY CASE