←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 5 comments | 27 Aug 25 01:38 UTC | HN request time: 0s | source
Show context
vorgol ◴[27 Aug 25 13:00 UTC] No.45039050[source]
OSs need to stop letting applications have a free reign of all the files on the file system by default. Some apps come with apparmor/selinux profiles and firejail is also a solution. But the UX needs to change.
replies(5): >>45039375 #>>45040698 #>>45041459 #>>45041809 #>>45045968 #
terminalbraid ◴[27 Aug 25 13:26 UTC] No.45039375[source]
Which operating system lets an application have "free reign of all the files on the file system by default"? Neither Linux, nor any BSD, nor MacOS, nor Windows does. For any of those I'd have to do something deliberately unsafe such as running it as a privileged account (which is not the "default").
replies(6): >>45039776 #>>45039798 #>>45039824 #>>45040322 #>>45040368 #>>45040974 #
1. eightys3v3n ◴[27 Aug 25 13:59 UTC] No.45039824[source]
I would argue the distinction between my own user and root is not meaningful when they say "all files by default". As my own user, it can still access everything I can on a daily basis which is likely everything of importance. Sure it can't replace the sudo binary or something like that, but it doesn't matter because it's already too late. Why when I download and run Firefox can it access every file my user can access, by default. Why couldn't it work a little closer to Android with an option for the user to open up more access. I think this is what they were getting at.
replies(3): >>45040122 #>>45040191 #>>45045248 #
2. doubled112 ◴[27 Aug 25 14:21 UTC] No.45040122[source]
Flatpak allows you to limit and sandbox applications, including files inside your home directory.

It's much like an Android application, except it can feel a little kludgy because not every application seems to realize it's sandboxed. If you click save, silent failure because it didn't have write access there isn't very user friendly.

3. skydhash ◴[27 Aug 25 14:26 UTC] No.45040191[source]
Because it will become unpractical. It’s like saying your SO shouldn’t have access to your bedroom, or the maid should only have access to a single room. Instead what you do is having trusted people and put everything important in a safe.

In my case, I either use apt (pipx for yt-dlp), or use a VM.

replies(1): >>45045319 #
4. terminalbraid ◴[27 Aug 25 21:03 UTC] No.45045248[source]
I'm not saying user files aren't important. What I am saying is the original poster was being hyperbolic and, while you say it's not important for your case, it is a meaningful distinction. In fact, that's why those operating systems do not allow that.
5. eightys3v3n ◴[27 Aug 25 21:10 UTC] No.45045319[source]
I don't agree that the only options are "give it almost everything" or "give it nothing and now it's a huge pain in the arse". Which seems to be what you implied. I do think there are better middle grounds where an app almost always works out of the box but also can't access almost everything on the system. There are also UI changes that can help deal with this like the Android security prompts do.