←back to thread

Malicious versions of Nx and some supporting plugins were published

(github.com)
441 points longcat | 1 comments | 27 Aug 25 01:38 UTC | HN request time: 0.235s | source
Show context
vorgol ◴[27 Aug 25 13:00 UTC] No.45039050[source]
OSs need to stop letting applications have a free reign of all the files on the file system by default. Some apps come with apparmor/selinux profiles and firejail is also a solution. But the UX needs to change.
replies(5): >>45039375 #>>45040698 #>>45041459 #>>45041809 #>>45045968 #
evertheylen ◴[27 Aug 25 15:03 UTC] No.45040698[source]
If you are on Linux, I'm writing a little tool to securely isolate projects from eachother with podman: https://github.com/evertheylen/probox. The UX is an important aspect which I've spent quite some time on.

I use it all the time, but I'm still looking for people to review its security.

replies(1): >>45041414 #
eyberg ◴[27 Aug 25 15:57 UTC] No.45041414[source]
Containers should not be used as a security mechanism.
replies(1): >>45041793 #
evertheylen ◴[27 Aug 25 16:27 UTC] No.45041793[source]
I agree with you that VMs would provide better isolation. But I do think containers (or other kernel techniques like SELinux) can still provide quite decent isolation with a very limited performance/ease-of-use cost. Much better than nothing I'd say?
replies(2): >>45041831 #>>45042674 #
1. bryceneal ◴[27 Aug 25 16:30 UTC] No.45041831[source]
This is also my impression. Containers aren't full-proof. There are ways to escape from them I guess? But surely it's more secure practically than not using them? Your project looks interesting I will take a look.