~Toughbooktalk~ Rob - 630-300-8877

The largest Toughbook discussion site on the net!
It is currently Sun Dec 10, 2017 10:13 pm

All times are UTC-06:00




Post new topic  Reply to topic  [ 14 posts ]  Go to page 1 2 Next
Author Message
PostPosted: Sat Dec 20, 2014 12:33 pm 
Offline
User avatar

Joined: Sat Jun 07, 2014 7:39 am
Posts: 651
Location: Canada
Anybody consider doing this? With the excellent security (NOT) of flash, java and plugins for whatever browser you use, this is a thing I've been doing on my permanent installs. Although I admit I've been slacking lately so I'm revising my Toughbooks.

Why do this? Running stuff in a chroot jail makes sure that if your application runs amok and tries to pwn your system, it won't get very far and access all your files, or worse. The problem is techniques vary and results can be less than perfect if you want to launch a chroot browser in one command or menu item.

_________________
CF-19 MK2 TOUCHSCREEN || CF-19 MK2 DIGITIZER || CF-30 MK3 "Jeff Edition" || CF-19 MK4


Top
   
PostPosted: Sat Dec 20, 2014 10:15 pm 
Offline

Joined: Wed Nov 16, 2011 8:01 pm
Posts: 489
Location: New England
I'll have to do some reading on this and try it out. Any tips or pitfalls?

_________________
CF-53 MX-16
CF-30 MK2 SSD LMDE2 Betsy, MK2 Navigatrix, Fundraiser for TbT
CF-52 GUN SSD LMDE2 Betsy(NICE) Thanks Sadlmkr
CF-M34 MicroWattR8 Thanks Sadlmkr
CF-33 MicroWattR8 Thanks Springfield
CF-29 MX-16 (https://mxlinux.org/)
CF-28 MK3 MX-14.3 & MicroWattR8


Top
   
PostPosted: Sun Dec 21, 2014 3:41 pm 
Offline
User avatar

Joined: Sat Jun 07, 2014 7:39 am
Posts: 651
Location: Canada
Look into chroot and debootstrap for creating a chrooted environment to play with. The caveats with this is that almost all methods require you to use sudo or edit /etc/sudoers if you want to make launching your browser as simple as possible.

Another method was to launch your browser under an unprivileged user. The point for that was to run the browser process under a bogus user that has access to absolutely nothing but his own files. It's not as secure as a chroot but in my opinion works sufficiently well but the methods could get messy and requires scripts and using xhost to allow this user to connect to the X server to launch the application.

Right now I stumbled upon sandfox http://igurublog.wordpress.com/download ... t-sandfox/ which attempts to make running sandboxed processes much easier. It's quite simple to install but it does require more sudo-ing. I'll look into this and any other easy methods and post back here. Right now I'm going to play with sandfox and attempt to understand how it works.

_________________
CF-19 MK2 TOUCHSCREEN || CF-19 MK2 DIGITIZER || CF-30 MK3 "Jeff Edition" || CF-19 MK4


Top
   
PostPosted: Mon Dec 22, 2014 10:53 am 
Offline
User avatar

Joined: Sat Jun 07, 2014 7:39 am
Posts: 651
Location: Canada
Interesting. sandfox sort of creates a chrooted environment in temporary mount points in order to isolate and execute applications. It's only working on my desktop PC so far and I haven't tried it on other than my CF-19 Debian workhorse. I am currently taking a closer look at how it copies and saves firefox/iceweasel or other browser profiles between sessions, so that you can keep your bookmarks and plugins intact.

_________________
CF-19 MK2 TOUCHSCREEN || CF-19 MK2 DIGITIZER || CF-30 MK3 "Jeff Edition" || CF-19 MK4


Top
   
PostPosted: Mon Jan 12, 2015 2:01 pm 
Offline
User avatar

Joined: Sat Jun 07, 2014 7:39 am
Posts: 651
Location: Canada
I've been gone for a while, folks. I'm back! I'm going to post the best method for chrooting your browser in a bit, which is a full chroot with debootstrap. Sandfox is proving to be unreliable. I have my desktop PC to setup soon so I'll take notes.

_________________
CF-19 MK2 TOUCHSCREEN || CF-19 MK2 DIGITIZER || CF-30 MK3 "Jeff Edition" || CF-19 MK4


Top
   
PostPosted: Wed Jan 28, 2015 3:47 pm 
Offline
User avatar

Joined: Sat Jun 07, 2014 7:39 am
Posts: 651
Location: Canada
Just to let you guys know I haven't forgotten this. Just been kind of busy. And when I'm not, I just want to disconnect my brain and stay away from keyboards.

_________________
CF-19 MK2 TOUCHSCREEN || CF-19 MK2 DIGITIZER || CF-30 MK3 "Jeff Edition" || CF-19 MK4


Top
   
PostPosted: Wed Jan 28, 2015 7:14 pm 
Offline

Joined: Wed Nov 16, 2011 8:01 pm
Posts: 489
Location: New England
Wondering if certain browsers are better than others along with what you are talking about, i.e. this one:
http://www.dillo.org/

_________________
CF-53 MX-16
CF-30 MK2 SSD LMDE2 Betsy, MK2 Navigatrix, Fundraiser for TbT
CF-52 GUN SSD LMDE2 Betsy(NICE) Thanks Sadlmkr
CF-M34 MicroWattR8 Thanks Sadlmkr
CF-33 MicroWattR8 Thanks Springfield
CF-29 MX-16 (https://mxlinux.org/)
CF-28 MK3 MX-14.3 & MicroWattR8


Top
   
PostPosted: Thu Jan 29, 2015 9:01 am 
Offline
User avatar

Joined: Sat Jun 07, 2014 7:39 am
Posts: 651
Location: Canada
Quite possibly. But it's Adobe Flash, Javascript and JRE that are making me paranoid. On Windows, having software silently installed and infect your system by just browsing a site is comically common. I'd like to avoid full access to my files from my browser process on my Linux systems.

_________________
CF-19 MK2 TOUCHSCREEN || CF-19 MK2 DIGITIZER || CF-30 MK3 "Jeff Edition" || CF-19 MK4


Top
   
PostPosted: Thu Jan 29, 2015 9:34 am 
Offline

Joined: Sun Dec 07, 2014 2:39 pm
Posts: 61
Location: Around Kansas City
I rebuild my systems so often it is not a concern, but have you looked into selinux, and the package "harden". I have just found that one of our professers here at school would like to make a hacking team, he deals with security stuff. When I found out learn stuff from him I will relate it here.

Windows didnt understand ownership and file permissions and as a result the virus/malware/spyware grew.

I will look around and see if I can find anything to help, I was thinking you could write a bash script to launch
everything. There is a command that lists which process is linked to which process, but I cant recall it at the
moment I will find it and then you can pipe its output through grep to a file to track what "browser" it connected or calling to.

Off to class.

_________________
glitch

CF-19 Mk-1 / CF-M34 / CF-27 / CF-28 / CF-29 Mk-1 / CF-H1 Field/Health

“The soul is dyed the color of its thoughts. Think only on those things that are in line with your principles and can bear the light of day. The content of your character is your choice. Day by day, what you do is who you become. Your integrity is your destiny - it is the light that guides your way.” Heraclitus ~5 bc


Top
   
PostPosted: Fri Jan 30, 2015 7:40 am 
Offline
User avatar

Joined: Sat Jun 07, 2014 7:39 am
Posts: 651
Location: Canada
The command to find out what files are currently being accessed by a running process is lsof. With no arguments or grepping, it lists all open files.
For example:
Code:
lsof | grep firefox

But that's besides the point. What you need to know is what user can access which files or directories. This is the most basic way to display this info and I am aware that there are better methods.
Login as the non-root user then:
Code:
find / -readable

Or what can be modified:
Code:
find / -writable
or executed
Code:
find / -type f -executable

When a process is launched under that user, such as a child process from a java applett running under your browser, it could technically access all those files and directories. SELinux won't help you since this is just a basic permissions issue. You quite simply don't want untrusted processes to be able to access files and run commands under that user. And don't get me started with an OS that by default allows regular joe user to use sudo without a password.

There were two ways of keeping a process such as a browser to keep from reading files that it shouldn't. One is to run the process under another user and group that doesn't have free reign over the rest of your other user's files. It's not perfect since there are always files every user needs to see such as /etc/passwd and it can still execute any binary or script under that user. The other way is to run its own chroot jail and that is what I am going to explain here.

_________________
CF-19 MK2 TOUCHSCREEN || CF-19 MK2 DIGITIZER || CF-30 MK3 "Jeff Edition" || CF-19 MK4


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 14 posts ]  Go to page 1 2 Next

All times are UTC-06:00


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Limited