SoylentNews is people
SoylentNews
Desktop / Laptop privacy & security of web browsers on Linux part 1: concepts and theory
Web browsers today are everywhere, and they are a huge pile of
shitcode, full of shiny things that hide sometimes bad surprises, but, despite this fact, you want to use it daily cause oftoomany things today depend on you to visit a web site often requiring you[r] latest web technologies.Even if many vendor[s] today take browser security seriously, the fast evolution of web standards make [it] very hard to care about that on such big projects, and almost everyday in the wild appear a new method to fuck poor users using the web as a vector of evil code, using both browser vulnerability or user
stupidityinnocence.There is no 100% security, if anyone tell[s] you he has the panacea of all evil things and can show you how to be 100% protected online, it's a liar, no exception. Despite that, something can be done to be at least a little bit more secure and block the most common attack vectors, with a cost in terms of usability that is really cheap.
[Continues...]
Desktop / Laptop privacy & security of web browsers on Linux part 2: firejail based sandboxesThere are many tools in the wild to build the sandboxes using the features explained, some more user friendly, other more complex, some more complete, other more specific to one or few features.
After some tests and with the help of many friends from the Veteran Unix Admins group on facebook, the primary tool I've chosen to use is firejail.
Firejail is a great utility aiming to build sandboxes and it match almost perfectly our needs. With just a little bit of shell scripting, a little patch I have sent to firejail and a couple of other tools supported by firejail itself, we have all what is needed for our architecture.
(Score: 5, Interesting) by boltronics on Wednesday August 10 2016, @10:08AM
I've been running Firejail for almost all my desktop apps that connect to the Internet, for just over a year now. My web browser, XMPP client, ownCloud client, mail client, Steam, Scudcloud, etc. I too have a set of shell scripts to manage it all, which I intend to publish and explain when I get some free time... but it's working quite nicely. It's not perfect, but it's pretty good and all major bugs have been addressed by now. You do need to keep in mind its limitations.
For example, if I have Thunderbird in one jail, and want to click on a link in an e-mail to have it open in Firefox, and I have the firefox command configured to run in a firejail, Firefox won't open correctly or at all (depending on the way the jails have been configured) - because firejail requires elevated privileges (it runs suid) to do its thing, and jails generally aren't permitted to elevate privileges. However if I start Firefox first (so it's already running in its own jail) and then click the link in Thunderbird, it will detect the Firefox process is already running and open the link successfully.
There is a bug in the current Debian Stretch packages, where it will add slashes to ampersand characters in links, causing broken URLs. A work-around is to copy the link and paste it into a browser. This bug has been fixed upstream for a while now though.
One thing I really like is using firejail with Steam, where I have a unique directory that Steam thinks is my actual home directory. Then I can easily see and keep track of all the random file locations various games try to sprinkle around my home directory.
I also have firejail environments created for various pieces of untrusted code. eg. I have pythonjail configured to bring up a Bash shell with a remapped home directory and limited privileges so packages installed via pip can't do too much damage. Same with ruby for rbenv, nodejs for npm, etc. I don't like to put more trust in code from those kind of repositories than absolutely necessary.
It's GNU/Linux dammit!
(Score: 1, Insightful) by Anonymous Coward on Wednesday August 10 2016, @10:52AM
Same with ruby for rbenv, nodejs for npm, etc. I don't like to put more trust in code from those kind of repositories than absolutely necessary.
Don't worry. Almost all software distribution out there is done with very very little security. Sure, you have Debian and others signing their archives, but what good is signing if upstreams don't care about that? Almost all upstreams don't sign their software releases, and that is a more educated crowd than most users.
(Score: 2) by boltronics on Wednesday August 10 2016, @11:43PM
At the very least, most distribution package managers record a checksum of the original upstream code. You can at least gain some confidence you haven't been targeted specifically. I also have greater trust in most distributions having a package manager that is effective at thwarting MITM attacks.
Incidentally, that's why I've never used Arch GNU/Linux. I know package security was not a priority for them for a long time.
It's GNU/Linux dammit!
(Score: 2) by opinionated_science on Wednesday August 10 2016, @12:51PM
yes, I was introduced to this a year or so ago - it would be nice to have a setup profile tool of usage - common things etc... Currently I use the firefox/chromium etc... profiles to keep different uses apart, although I would like to have the extra layer of OS in case the browser bugs become more invasive....
(Score: 0) by Anonymous Coward on Wednesday August 10 2016, @01:11PM
Can you (easily) use firejail to run a different vpn in each jail? So, for example, all my firefox traffic goes through one vpn while all my thunderbird traffic traffic goes through a different vpn?
(Score: 1) by WillR on Wednesday August 10 2016, @08:37PM