I like Debian 7 and I appreciate the stability and the large number of software packages available. However, some of the software I need is not available in Debian Stable. And there are also packages I would like to access in Ubuntu Software Center, and over 100 Linux games on gog.com. Sounds familiar? In this article I describe my cross-distro Linux setup and how I handle newer Ubuntu software in older distros such as Debian 7.
Ubuntu 14.04 version of AssaultCube running on Debian 7
I have a dual-boot setup. On one partition I have Debian 7. I spend most of my time here, this is my main Linux desktop. On a different partition I have Ubuntu 14.04. I used to boot into Ubuntu occasionally for playing games or for testing my software on a newer compiler tool chain. Not anymore! My new setup allows me to run programs on Ubuntu partition directly from Debian, without the need to boot back and forth between the two distros.
The key to this setup is to have the same user id set in both distributions. This happens by default if the first user you configure during install is the same in both distros. You can check it out by running id command in Debian and Ubuntu:
We often find ourselves running applications we received in binary format. These include not only traditional software installed on our computers, but also unauthenticated programs received over the network and run in web browsers. Most of the time these applications are too complex to be bug-free, or can come from an adversary trying to get access to our system.
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications. The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.
The program is written in C and only needs libc and POSIX threads (libpthreads), available by default on any Linux platform. The download page provides:
- source code (./configure && make && sudo make install)
- .deb packages for Debian/Ubuntu/Mint (dpkg -i firejail.deb)
- .rpm packages for OpenSUSE/Fedora/Centos7(rpm -i firejail.rpm)
An Arch Linux package is also available in AUR. The command to start Mozilla Firefox is:
$ firejail firefox
$ firejail --debug firefox
Firefox browser running in a Firejail sandbox
We are happy to announce the release of Firejail version 0.9.10. Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. The new release brings in several sandbox management capabilities and a number of bugfixes:
We are happy to announce the release of Firejail version 0.9.8. Firejail is a generic Linux namespaces security sandbox, capable of running graphic interface programs as well as server programs. The new release brings in several bugfixes, a number of new security feature, and new monitoring capabilities:
The goal of this article is to isolate a small public web server on a simulated demilitarized zone (DMZ) network, and to restrict the local network access in case the server is breached. It is an extra security layer added to an existing home server setup.
Internal DMZ network setup
The DMZ consists of an internal network 10.10.20.0/24 connected to br0 bridge device. On this network I place a Linux namespaces security sandbox at 10.10.20.10, running a web server. In case an intruder gets control of the web server, he will be running with low privileges as a generic www-data user. The host firewall configuration will not allow him to open connections anywhere outside DMZ network.
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Started as a simple sandbox for Mozilla Firefox, Firejail was expanded to work on any type of executable, such as servers, graphic programs, and even as login shell.
The program is written in C and only needs libc and POSIX threads (libpthreads), available by default on any Linux platform. The download page provides source code (./configure && make && sudo make install), deb (dpkg -i firejail.deb) and rpm (rpm -i firejail.rpm) packages. Once installed, you can start a program in sandbox as:
$ firejail [options] program and arguments
$ firejail --debug firefox
To login into a Firejail sandbox, you need to set /usr/bin/firejail as user shell in /etc/passwd. You can change the shell for an existing user with chsh command:
# chsh --shell /usr/bin/firejail
Another option is to define the shell when the user account is created:
# adduser --shell /usr/bin/firejail username
Below is a ssh login session into a sandboxed account:
SSH login into a default Firejail sandbox