Author Archives: netblue30

Firejail – A Security Sandbox for Mozilla Firefox

We often find ourselves running applications we received in binary format. These include not only traditional software installed on our computers, but also unauthenticated programs received over the network and run in web browsers. Most of the time these applications are too complex to be bug-free, or can come from an adversary trying to get access to our system.

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications. The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.

Introducing Firejail

The program is written in C and only needs libc and POSIX threads (libpthreads), available by default on any Linux platform. The download page provides:

  • source code (./configure && make && sudo make install)
  • .deb packages for Debian/Ubuntu/Mint (dpkg -i firejail.deb)
  • .rpm packages for OpenSUSE/Fedora/Centos7(rpm -i firejail.rpm)

An Arch Linux package is also available in AUR. The command to start Mozilla Firefox is:

$ firejail firefox
or
$ firejail --debug firefox

Firejail mounts read-only the main filesystem directories, and blocks the access to /sbin, /usr/sbin and /boot directories. It also blocks several files storing encryption keys and certificates in user home directory. This is the current list:

(from /etc/firejail/firefox.profile)
blacklist ${HOME}/.ssh
blacklist ${HOME}/.gnome2_private
blacklist ${HOME}/.gnome2/keyrings
blacklist ${HOME}/kde4/share/apps/kwallet
blacklist ${HOME}/kde/share/apps/kwallet
blacklist ${HOME}/.pki/nssdb
blacklist ${HOME}/.gnupg

You can add and remove files or directories as needed in /etc/firejail/firefox.profile. Firejail restricts the processes visible in the sandbox by making the sandboxed program PID 1. Only processes started by this program and its descendants will be visible in the sandbox.

Firefox browser running in a Firejail sandbox

Firefox browser running in a Firejail sandbox

Continue reading

Securing a Web Server Using a Linux Namespaces Sandbox

The goal of this article is to isolate a small public web server on a simulated demilitarized zone (DMZ) network, and to restrict the local network access in case the server is breached. It is an extra security layer added to an existing home server setup.

Internal DMZ network setup

Internal DMZ network setup

The DMZ consists of an internal network 10.10.20.0/24 connected to br0 bridge device. On this network I place a Linux namespaces security sandbox at 10.10.20.10, running a web server. In case an intruder gets control of the web server, he will be running with low privileges as a generic www-data user. The host firewall configuration will not allow him to open connections anywhere outside DMZ network.

Continue reading

How to Restrict a Login Shell Using Linux Namespaces

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Started as a simple sandbox for Mozilla Firefox, Firejail was expanded to work on any type of executable, such as servers, graphic programs, and even as login shell.

The program is written in C and only needs libc and POSIX threads (libpthreads), available by default on any Linux platform. The download page provides source code (./configure && make && sudo make install), deb (dpkg -i firejail.deb) and rpm (rpm -i firejail.rpm) packages. Once installed, you can start a program in sandbox as:

$ firejail [options] program and arguments
Example:
$ firejail --debug firefox

Default sandbox

To login into a Firejail sandbox, you need to set /usr/bin/firejail as user shell in /etc/passwd. You can change the shell for an existing user with chsh command:

# chsh --shell /usr/bin/firejail

Another option is to define the shell when the user account is created:

# adduser --shell /usr/bin/firejail username

Below is a ssh login session into a sandboxed account:

SSH login into a default Firejail sandbox

SSH login into a default Firejail sandbox

Continue reading

Lightweight Debian: LXDE Desktop From Scratch Part 2

In part 1 of this article series I’ve described a minimal Debian installation using network install image. I started with a regular server, added the desktop environment, and installed some more common desktop applications. In this article I will continue with several enhancements to the previous setup. Most of the information in these articles applies to other desktop environments as well.

Continue reading

A Memory Comparison of Light Linux Desktops – Part 3

Linux kernel manages all RAM memory in your computer. Unused memory goes into a special buffering pool, where the kernel caches all recently used data. If a process attempts to read a file and the kernel already has the file cached, reading it is as fast as reading RAM.

Filesystem-heavy task, such as compiling source code, processing video files, etc. benefit from as much free memory as possible in buffering pool. It is not uncommon today to see users with powerful systems running tiling window managers in only a few megabytes of memory. Also, with the personal computer market in decline, people tend to keep their computers longer.

In this article I continue the measurements started in part 1 and part 2 of this series.

I use free command to measure memory. It basically prints out values provided by the kernel. Of interest to us is the number on -/+ buffers/cache line, 121MB in the example below:

Measuring desktop memory

Measuring desktop memory

Continue reading