Running Dropbox in Firejail Sandbox

This article describes how to move an existing Dropbox installation in a restricted home directory and how to run it inside Firejail security sandbox.

Introducing Firejail

Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version.

The download page provides:

  • source code (./configure && make && sudo make install)
  • .deb packages for Debian/Ubuntu/Mint (dpkg -i firejail.deb)
  • .rpm packages for OpenSUSE/Fedora/Centos7(rpm -i firejail.rpm)

An Arch Linux package is also available in AUR.
Continue reading

Debian/Ubuntu Cross-distro Gaming with Firejail

I like Debian 7 and I appreciate the stability and the large number of software packages available. However, some of the software I need is not available in Debian Stable. And there are also packages I would like to access in Ubuntu Software Center, and over 100 Linux games on gog.com. Sounds familiar? In this article I describe my cross-distro Linux setup and how I handle newer Ubuntu software in older distros such as Debian 7.

Ubuntu 14.04 version of AssaultCube running on Debian 7

Ubuntu 14.04 version of AssaultCube running on Debian 7

Debian/Ubuntu setup

I have a dual-boot setup. On one partition I have Debian 7. I spend most of my time here, this is my main Linux desktop. On a different partition I have Ubuntu 14.04. I used to boot into Ubuntu occasionally for playing games or for testing my software on a newer compiler tool chain. Not anymore! My new setup allows me to run programs on Ubuntu partition directly from Debian, without the need to boot back and forth between the two distros.

The key to this setup is to have the same user id set in both distributions. This happens by default if the first user you configure during install is the same in both distros. You can check it out by running id command in Debian and Ubuntu:

Continue reading

Firejail – A Security Sandbox for Mozilla Firefox

We often find ourselves running applications we received in binary format. These include not only traditional software installed on our computers, but also unauthenticated programs received over the network and run in web browsers. Most of the time these applications are too complex to be bug-free, or can come from an adversary trying to get access to our system.

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications. The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.

Introducing Firejail

The program is written in C and only needs libc and POSIX threads (libpthreads), available by default on any Linux platform. The download page provides:

  • source code (./configure && make && sudo make install)
  • .deb packages for Debian/Ubuntu/Mint (dpkg -i firejail.deb)
  • .rpm packages for OpenSUSE/Fedora/Centos7(rpm -i firejail.rpm)

An Arch Linux package is also available in AUR. The command to start Mozilla Firefox is:

$ firejail firefox
or
$ firejail --debug firefox
Firefox browser running in a Firejail sandbox

Firefox browser running in a Firejail sandbox

Continue reading

Securing a Web Server Using a Linux Namespaces Sandbox

The goal of this article is to isolate a small public web server on a simulated demilitarized zone (DMZ) network, and to restrict the local network access in case the server is breached. It is an extra security layer added to an existing home server setup.

Internal DMZ network setup

Internal DMZ network setup

The DMZ consists of an internal network 10.10.20.0/24 connected to br0 bridge device. On this network I place a Linux namespaces security sandbox at 10.10.20.10, running a web server. In case an intruder gets control of the web server, he will be running with low privileges as a generic www-data user. The host firewall configuration will not allow him to open connections anywhere outside DMZ network.

Continue reading

How to Restrict a Login Shell Using Linux Namespaces

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Started as a simple sandbox for Mozilla Firefox, Firejail was expanded to work on any type of executable, such as servers, graphic programs, and even as login shell.

The program is written in C and only needs libc and POSIX threads (libpthreads), available by default on any Linux platform. The download page provides source code (./configure && make && sudo make install), deb (dpkg -i firejail.deb) and rpm (rpm -i firejail.rpm) packages. Once installed, you can start a program in sandbox as:

$ firejail [options] program and arguments
Example:
$ firejail --debug firefox

Default sandbox

To login into a Firejail sandbox, you need to set /usr/bin/firejail as user shell in /etc/passwd. You can change the shell for an existing user with chsh command:

# chsh --shell /usr/bin/firejail

Another option is to define the shell when the user account is created:

# adduser --shell /usr/bin/firejail username

Below is a ssh login session into a sandboxed account:

SSH login into a default Firejail sandbox

SSH login into a default Firejail sandbox

Continue reading