chroot (sandbox) your browser?

Due to overwhelming demand, we have created a forum just dedicated to Toughbook users who use Linux!
Message
Author
User avatar
kode-niner
Posts: 700
Joined: Sat Jun 07, 2014 7:39 am
Location: Canada

Re: chroot (sandbox) your browser?

#11 Post by kode-niner »

Hey guys, sorry for letting this one slide. Browser security is still a very important topic for me. It should be to you as well, especially if you're running an OS that allows you to sudo everything without a password, but I'll leave that topic for another thread. So far I've tried a few things.

Making a full chroot OS is possibly the safest but it comes with a few caveats. Everything you do in that browser is stuck in the chroot, including uploading and downloading files. There are ways to work around this but it gets messy. I'd use this only if I were really paranoid about visiting dangerous sites, like for testing and forensics. It's also a pain to setup and use.

Sandfox is descibed as the poor man's sandbox and seemed promising at first. However it seemed buggy and sometimes it would crash or not work at all. With a bit more research I'm sure I would have managed to get it right, but I gave up. It might actually work much better on other distributions without modifying the script. I still think this might be worth a second look.

Firejail seems like a decent compromise between ease of use and a full chroot jail. This is what I'm running now. It's also on Debian repositories so it's as easy as running apt-get install firejail and running firejail firefox or firejail google-chrome from the command line to get decent security. It only causes problems with certain Firefox extensions that rely on external programs to work, like Video Downloader conversion utilities or Open in Chrome.
Daily drives a CF-31

UNCNDL1
Posts: 509
Joined: Wed Nov 16, 2011 8:01 pm
Location: New England

Re: chroot (sandbox) your browser?

#12 Post by UNCNDL1 »

I started reading your link about FireJail, and am going to try the debian version on a trusty toughbook when I get home, using LMDE 2 Betsy. I found another interesting link at the end of your source, that lists an interesting independent distribution built from scratch:
•Void Linux, a rolling-release Linux distribution build from scratch, with its own packet manager and runit init system also includes Firejail, http://www.voidlinux.eu/
More things to dabble into and try....Thanks :doh:
CF-53 MX-Linux 21 Wildflower
CF-30 MK2 SSD MX-21 Betsy, MK2 Navigatrix, Fundraiser for TbT
CF-52 GUN SSD MX-19
(NICE) Thanks Sadlmkr
CF-M34 MicroWattR8 Thanks Sadlmkr
CF-M33 MicroWattR8 Thanks Springfield

User avatar
kode-niner
Posts: 700
Joined: Sat Jun 07, 2014 7:39 am
Location: Canada

Re: chroot (sandbox) your browser?

#13 Post by kode-niner »

UNCNDL1 wrote:More things to dabble into and try....Thanks :doh:
Let me know how that works out. Looks interesting indeed!




Anybody ever think about using a user-agent override? In web browsers, the User Agent string is a bit of text that your browser reports to servers that it visits to let it know about your browser application and OS. To see what I mean, visit this link: http://whatsmyuseragent.com/

This is useful for web sites to check your browser version and capabilities in order to serve you content that works better for your platform, such as automatically showing an optimized version of a website for mobile devices. It also lets malicious web sites know how to better infect your computer or track you.

Some Firefox extensions allow you to change this string to fool sites into thinking you're something else entirely. My latest thing is to run one of these extensions on my Linux browsers to make them think I'm actually running Windows. 8)
Daily drives a CF-31

User avatar
kode-niner
Posts: 700
Joined: Sat Jun 07, 2014 7:39 am
Location: Canada

Re: chroot (sandbox) your browser?

#14 Post by kode-niner »

This exactly the reason why sandboxing your browser is of utmost importance.
Firefox users have been urged to update to browser version 39.0.3, following the discovery of a vulnerability which allows an attacker to read and steal sensitive local files on the victim's computer via the browser's PDF reader.
According to Mozilla:

On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients.
On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts.
More here:
http://www.theregister.co.uk/2015/08/07 ... n_exploit/
Daily drives a CF-31

Post Reply

Return to “The LINUX forum!!!”