If you run programs that you can't trust (for example because the source is unavailable and/or nobody reads it, no one is a gatekeeper of program updates etc), then you are opening yourself to attack because the default unix security model is just as bad as the Windows one. (The Windows one used to be much worse, but it isn't anymore, now they are the same badness)
Nowadays, the web browser is used as a platform to run programs on and so it has a lot of access to weird things (multiple monitors, local filesystem, ...) so one has to be careful what you enable there--since you probably run a lot of Javascript written by shady people you don't know.
The Linux desktop security model has user accounts, and then files have permissions for those users (yeah, there are also user groups, whatever). That means if you have a misbehaving (or malicious) program, it can read stuff in your home directory since that's owned by the same user account--so it can read your saved passwords, delete all your photos, figure out your banking info--but hey, at least it can't remove your printer (since for the latter you need to use the root user account :P) /s .
There are mitigations against that and the easiest (and crappiest) one is containerization: just run each program in an isolated virtual-machine-like-thing and they can't access other program's data (i.e. the rest of YOUR data) in the first place.
Then there's SELinux which flips this entire thing on its head. By default, nobody can do anything (that's the first very good decision!). If a process wants to do things, there has to be a policy installed that mentions that specific thing to be allowed and when. Otherwise no go. This way of working is much safer, BUT someone has to maintain those policies! And it must not be the program's author since he could just add whatever line he wants to have to the policy--and that's obviously bad. So who does it? Usually the Linux distribution's maintainer. Or, more commonly, nobody--so there's no policy for your favorite program and so it won't work.
Although I use the term "virtualization" the same way as you want to understand it, containers are still called "virtualization", as this wikipedia page suggests:
Good to know about it. Especially once you meet decades-experienced folks (mainframe guys), they rather use the word "virtualization" in its broader sense, yet they understand the difference between containers and virtual machines.
Userspace namespaces/chroots/jails are NOT virtualizations, period. Plan9/9front it's composed/run on namespaces and no one would say every window(1) process it's being virtualized because it has instances of different Plan9 devices such as their own /dev/draw.
Well, if you rent containers, you get containers. If you rent bare-metal machines, you get bare metal machines. So I don't see how this assertion makes any sense.
The CMU article skims around the names but call containers "virtual runtime environment" instead of straight "virtualization". But by that definition everything in any modern computer is "virtualized" because it runs over Virtual Memory.
"read scripts before you run them" is a good bit of advice. Some little things can help you protect your GUI apps if you're extra paranoid (eg. Wayland is more secure, Flatpak offers additional sandboxing with bubblewrap) but not everything is necessary.
If you use a mainstream distro like Fedora or Ubuntu, its default configuration should be safe enough to use like Windows. Just remember that there isn't really any antivirus or Microsoft Defender to save you if you really mess up. I do offline backups of important work on all my devices, for this reason partially.
How do you check it without running something that may execute it? Many scripts will execute if opened with vi or even cat or printf from what I understand.
I haven't encountered this. You can execute scripts intentionally in vi, and I assume you could configure it to happen automatically, but can this happen without you making some sort of effort to enable it?
What scripts present such a risk? What vi configuration is required to stop this?
Maybe they mean that it can include control characters that mess up your terminal and make it look like something malicious is happening, which of course is not the same as executing it (and has a warning anyway).
>Some little things can help you protect your GUI apps if you're extra paranoid
Can you explain this? What are the exploits?
Is it the equivalent of running a .exe or .jar on windows, but with an extra layer of protection? (Or am I trying to shove my windows ideas into linux?)
Traditional desktop Linux allows different apps to more-or-less freely communicate with each other (called the x11 protocol). This works really well for old apps (and admittedly not too bad for new ones) but is very slow and exposes a lot of bugs. On top of this, you have potential exploits in your filesystem from loosely permissioning important settings and identity files. So, the attack surface for a traditional Linux distro is relatively large.
> Is it the equivalent of running a .exe or .jar on windows, but with an extra layer of protection?
Kinda! Linux software is distributed as packages, which contains a binary (the exe/jar portion), a dependency manifest and whatever static content it needs. A sandbox like Flatpak will take those packages and put it into a sandbox, to prevent hostile interprocess communication and filesystem exploits.
None of these mitigations are perfect per-se (nor are they on Mac/Windows), so use them wisely if you intend to use them at all. I have used a non-sandboxed system to run old 90s Windows games for years though, and haven't picked up any significant issues. YMMV, it is Linux after all :P
That doesn't help when a bunch of disparate credentials are entered and cached in a shared runtime environment inside the same bunch of processes (aka: your browser).
There's also a newer protocol called "Wayland" which aims to avoid some issues with X11 (and is also a general architecture overhaul). GNOME and KDE support it out of the box and iirc at least GNOME also enables it by default.
There are some tradeoffs though. Some things like screen sharing might be worse on Wayland (e.g. I can't share a single window, only whole screens) and some apps don't support Wayland at all (including for example all of the IntelliJ IDEs). The latter can be circumvented by enabling XWayland (basically an X server running side by side with the Wayland compositor to handle X11-only apps). In that case you're left with the X11 security model for apps not running natively on Wayland.
Interesting. Do you know why? I've only ever tried launching nested instances of Sway (the compositor I use) which each use their own sockets and render as a client to the parent compositor and that worked fine. Does it have something to do with rendering to a real display?
I remember this being brought up early in Wayland development. The stance was taken that it wasn't a popular enough use case to be worth putting work into. I don't think there's any real technical reason why it couldn't be done, but I don't know. I'm not familiar with the architecture of Wayland.
I think he means multiple simultaneous seats, and IIRC this is a limitation of systemd-logind, not wayland itself (it works on seatd, though that makes you manage your own XDG_RUNTIME_DIR, so I guess pick your poison).
There's whole classes of software that just don't make sense on Wayland. Most DAWs won't work because the whole point of a DAW is "be a big box that hosts docked windows of out-of-process audio plugins" which just isn't a concept Wayland has; the only way it would work would be to have Reaper or Ardour or whatever be its own compositor. Maybe somebody some day will write a "libsubcompositor" or something; IDK.
"more-or-less" is doing a lot of work there. It uses a cookie-based authentication system (in fact I think that's where web browsers got the word "cookie" from) but it was intended for trusted networks; when it's done in other situations it's via kerberos or over an SSH tunnel.
It's a pretty elegant setup, honestly, and one thing I miss when I'm on Wayland. The idea is you're at a small desktop on your University's network and you need to use some of the computing power of the big data servers they have. So you run e.g. a graphing program that does all of its computation on the big data machine but does its display on your little desktop (in this setup the big data machine is called the "client" and the tiny little desktop is called the "server" which confuses people a lot at first but makes sense when you get into the architecture).
X itself had been moving away from this for years by adding some extensions that don't work well (or at all) over the network, but there are absolutely still lab setups that use the old way because it's pretty much tailor-made for it.
The bigger security issue was that X programs could see and modify certain things about each other and about the system as a whole, so for example the program XEyes had a pair of eyes that pointed at the location of the cursor (it sounds silly but this was an accessibility thing). And a screenshot program could take a shot of the screen. And so on. Wayland got rid of all those capabilities, but there turned out to be a lot of baby in that bathwater so they're slowly adding back each of them, one at a time. In another decade a new crop of developers will no doubt say "What's all this needless cruft?! Let's start over!" and the cycle of life will continue.
The core three tenets are drive encryption (easy), regular wipes (10h/year), and sandboxing (crazy expensive at the moment). That gives you decent security.
If you have a basic understanding of mounts, sandboxing a program in bubblewrap is pretty easy. And of course there are pre-made solutions like firejail.
>sandboxing a program in bubblewrap is pretty easy
It's not easy. Just getting the mounts right is not sufficient. You also need to consider syscalls. E.g. TIOCSTI is permitted by default and allows an easy sandbox escape. See [0]CVE-2017-5226. TIOCLINUX can also allow sandbox escapes.
This can be prevented with the --new-session option, but that breaks interactive terminals, e.g. it causes ctrl-C to restore input to the parent shell while simultaneously running the child shell on the same terminal with the same inputs, which makes it unusable.
The alternative is compiling a seccomp BPF program to filter the syscalls, and loading it with the --seccomp option, but even this is non-trivial, e.g. see [1]CVE-2019-10063. This is also a case of "enumerating badness"; there's no guarantee that other syscalls are not also exploitable.
Ah it sure does feel good to be humbled. Glad to know my personal setups are not affected as they do not give access to the outer tty but at the same time - WTF is going
on inside developers heads!?
I've noticed a trend of adding N deeply intertwined features which then interact in N! different ways and no one bothers to define rigorous semantics for them. And then you have to get a PhD in Linux just to understand whether your system is vulnerable when you use POSIX message queues inside a FUSE filesystem inside an unprivileged user namespace inside chroot inside setarch running in 9 nested terminal sessions.
I think I'm starting to understand why some people swear by the BSDs.
Edit: just checked and OpenBSD has indeed removed TIOCSTI in 2017.
Not to mention, there's a lot of things that you can mount inside a bubblewrap sandbox that will lead to a trivial sandbox escape. The X11 socket, the DBus socket...
Sandboxing a program in Bubblewrap is trivially easy if it's a CLI program that doesn't need network access.
Sandboxing a program that needs graphics performance anywhere near 10% of what the hardware is capable of is, at the moment, as we're stuck with X11 and growing gray hair waiting for Wayland to become a viable alternative, literally impossible.
Firejail does provide pre-made solutions like running nested X servers, which can sandbox graphical applications at insane resource costs, such that you might as well just run a full virtual machine.
Mount namespaces are security theater if you're giving access to X11, Pipewire, the SSH agent, the GPG agent, the dbus session bus, and god knows what else.
How effective do you think the access control mechanisms in Wayland/PipeWire will be? I'm not sure how widely used they are right now but it seems like a step in the right direction rather than allowing all Wayland clients all the privileged extensions (screen recording, input methods) nullifying most security benefits over X11. Also xdg-dbus-proxy exists for dbus though its security depends on what peers you allow it to talk to.
OTOH it is amusing to watch Wayland re-adopt, one piece at a time, all the "cruft" they started the project to get away from. Embedding will probably be next.
All three of those are great things to do. The fact that you know to mention them makes me think you don't need to worry much. When Linux people say they're into security, it usually means research level computer science, not "I don't want my laptop to get malware".
The only caveat I'd like to say, I think we shouldnt assume every user isnt a VIP.
I'm not a VIP, but I have some huge huge huge secrets that are worth at least a million dollars, maybe 10s of millions of dollars, that I need to access with a computer.
Malware means potentially losing millions or tens of millions of dollars. I'm so afraid of those secrets, I don't even access them on my windows computers unless necessary.
I'd love to be comfortable doing this, but given anyone can seemingly make a python keylogger, I'm not really comfortable using my computer(windows or linux) for this purpose. Gaming/updating my website/etc... all of that, who cares if I'm hacked, I got backups. I just havent found a great way to keep secrets that need to go online.
I'd recommend not taking any security advice from internet forums at all if millions are on the line, regardless of OS. I'd hire a professional to harden the computer I want to use for that and wouldn't use it for anything else. An apple device would probably be my go-to there over any Linux system.
What things do I need to worry about? I'm about to make the switch from Windows to Linux.
Is it general 'dont run things you don't trust'? keep things updated? Use good passwords?(do I need to change a setting to prevent brute forcing?)
Am I missing anything?