←back to thread

Less is safer: Reducing the risk of supply chain attacks

(obsidian.md)
478 points saeedesmaili | 1 comments | 19 Sep 25 22:02 UTC | HN request time: 0.198s | source
Show context
gejose ◴[19 Sep 25 23:42 UTC] No.45308131[source]
This is one way to look at it, but ignores the fact that most users use third party community plugins.

Obsidian has a truly terrible security model for plugins. As I realized while building my own, Obsidian plugins have full, unrestricted access to all files in the vault.

Obsidian could've instead opted to be more 'batteries-included', at the cost of more development effort, but instead leaves this to the community, which in turn increases the attack surface significantly.

Or it could have a browser extension like manifest that declares all permissions used by the plugin, where attempting to access a permission that's not granted gets blocked.

Both of these approaches would've led to more real security to end users than "we have few third party dependencies".

replies(20): >>45308149 #>>45308208 #>>45308212 #>>45308222 #>>45308224 #>>45308241 #>>45308572 #>>45308600 #>>45308749 #>>45310219 #>>45310642 #>>45310881 #>>45310991 #>>45311185 #>>45311760 #>>45311782 #>>45312975 #>>45313054 #>>45314194 #>>45315453 #
ibash ◴[20 Sep 25 03:58 UTC] No.45310219[source]
> Obsidian plugins have full, unrestricted access to all files in the vault.

Unless something has changed, it's worse than that. Plugins have unrestricted access to any file on your machine.

When I brought this up in discord a while back they brushed it aside.

replies(6): >>45310455 #>>45310482 #>>45310762 #>>45310878 #>>45314453 #>>45315194 #
HSO ◴[20 Sep 25 05:48 UTC] No.45310762[source]
What if you run little snitch and block any communications from obsidian to anything?
replies(2): >>45311159 #>>45311167 #
elric ◴[20 Sep 25 07:08 UTC] No.45311167[source]
Or firejail. Or QubesOS using a dedicated VM. There are options, but it would still be nice if Obsidian had a more robust security model.
replies(1): >>45311195 #
johnisgood ◴[20 Sep 25 07:13 UTC] No.45311195[source]
I have been using firejail for most of these kind of applications, be it Obsidian, Discord, or the browser I am using. I definitely recommend people start using it.
replies(1): >>45311393 #
dotancohen ◴[20 Sep 25 08:01 UTC] No.45311393[source]
Sell it to us! Why do you use specifically firejail?

There are so many options, from so many different security perspectives, that analysis paralysis is a real issue.

replies(1): >>45312026 #
johnisgood ◴[20 Sep 25 10:21 UTC] No.45312026[source]
I feel like I should keep track of all my comments on HN because I remember writing a lengthy comment on firejail more than once. I cannot keep doing this. :D

For user-space, there is usually bubblewrap vs. firejail. I have not personally used bubblewrap, so I cannot comment on that, but firejail is great at what it does.

The last comment was about restricting clipboard access to either X11 or Wayland which is possible with firejail quite easily, so if you want that, you can have that.

You can do a LOT more with firejail though.

https://wiki.archlinux.org/title/Firejail

https://man.archlinux.org/man/firejail.1

replies(3): >>45312081 #>>45312546 #>>45315355 #
rufugee ◴[20 Sep 25 11:56 UTC] No.45312546[source]
So do you configure firejail to give each app their own separate, permanent home directories? Like "firejail --private=/home/user/firejails/discord discord", "firejail --private=/home/user/firejails/chromium chromium", and so on?
replies(1): >>45313982 #
johnisgood ◴[20 Sep 25 15:03 UTC] No.45313982[source]
I have my own Discord.profile!

This is my ~/.config/firejail/Discord.profile[1]:

  include disable-common.inc
  include disable-devel.inc
  include disable-interpreters.inc
  include disable-shell.inc

  noblacklist /sys/fs
  noblacklist /sys/module

  keep-config-pulse
  keep-dev-shm

  name discord
  apparmor
  caps.drop all
  caps.keep sys_admin,sys_chroot
  netfilter
  nodvd
  #nogroups
  #noinput
  nonewprivs
  noroot
  notv
  #nou2f
  #novideo
  protocol unix,inet,inet6
  #shell none

  disable-mnt
  private-cache
  #private-tmp

  noexec /tmp

  dbus-user filter
  dbus-user.talk org.freedesktop.Notifications

  private-bin Discord,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,tr,xdg-mime,xdg-open,zsh,gzip,wget,curl,notify-send
  private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl

  noblacklist /usr/lib/discord/
  whitelist ${HOME}/.config/discord
  read-write ${HOME}/.config/discord
  whitelist ${DOWNLOADS}
  whitelist ${HOME}/.config/pulse/*

  include whitelist-common.inc
  include whitelist-var-common.inc
  include whitelist-run-common.inc
  include whitelist-runuser-common.inc
I have some things commented out but you could probably uncomment most.

Some has this, too:

  disable-mnt
  private-dev
  private-cache

  env http_proxy=socks5://127.0.0.1:9050
  env https_proxy=socks5://127.0.0.1:9050
FWIW, once you start whitelisting, it will only have access to those directories and files only, so Discord has no access to anything other than its own directory and ${DOWNLOADS}, which I should probably change.

You should check out the default profiles for many programs / apps under directory "/etc/firejail".

[1] You run it via "firejail Discord" or "firejail ./Discord" if you name it "Discord.profile".

replies(1): >>45314279 #
1. rufugee ◴[20 Sep 25 15:39 UTC] No.45314279[source]
This is great. Thanks for the detailed reply!