In August, Mozilla was notified by security researcher Cody Crews that a malicious advertisement on a Russian news site was exploiting a vulnerability in Firefox’s PDF Viewer. The exploit payload searched for sensitive files on users’ local filesystem, and reportedly uploaded them to a server in Ukraine.
I am proud to say Firejail users were protected! The default Firejail configuration blocked access to .ssh, .gnupg and .filezilla in all directories present under /home, while more advanced configurations blocked everything else.
The main focus of Firejail project is GUI application sandboxing, with web browsers being one of the main targets. I will describe some of the new features available in Firejail, and how to use them to sandbox a web browser such as Mozilla Firefox.
A short note before we start. By default, Firefox browser uses a single process to handle multiple windows. When you start the browser, if another Firefox process is already running, the existing process opens a new tab or a new window. Make sure Firefox is not already running when you start it in Firejail sandbox.
In part 2 of this series, we look at some new browser sandboxing developments in Firejail security sandbox. Since the first article was published, many new features have been added. Unlike other sandboxes, the main focus of Firejail project is GUI application sandboxing, with web browsers being, at least for the immediate future, the main target.
Default profiles are stored in /etc/firejail and they describe the sandboxing environment for specific applications. In the latest versions of Firejail, the default profiles are applied automatically unless a different profile is requested by the user. Start it as firejail appname. Examples:
$ firejail firefox
$ firejail chromium
$ firejail midori
$ firejail opera
The sandbox consists of a mount namespace built on top of the current filesystem, with most directories marked read only, several empty system directories, and a manicured home directory. Linux capabilities filters and seccomp-bpf filters are also enabled. You can always check the current profile by running the sandbox with –debug option:
We often find ourselves running applications we received in binary format. These include not only traditional software installed on our computers, but also unauthenticated programs received over the network and run in web browsers. Most of the time these applications are too complex to be bug-free, or can come from an adversary trying to get access to our system.
Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications. The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.
The software is written in C and only needs libc and POSIX threads (libpthreads), available by default on any Linux platform. Firejail is included in Ubuntu 15.10 and Debian testing. For other distributions, the download page provides:
- source code (./configure && make && sudo make install)
- .deb packages for Debian/Ubuntu/Mint (dpkg -i firejail.deb)
- .rpm packages for OpenSUSE/Fedora/Centos7(rpm -i firejail.rpm)
An Arch Linux package is available in AUR.
The command to start Firefox in a Firejail sandbox is:
$ firejail firefox
$ firejail --debug firefox
Firefox browser running in a Firejail sandbox
Home, Trash and Web icons used to be enabled by default on most Linux desktops – not anymore! I am often asked to add them back when I install Linux for some other people. They are part of the workflow, and I am not interested in changing workflows. I am simply interested in moving the user from Windows to Linux. This article describes how I do it for various Linux desktops.
To create the icons in LXDE, right-click on the desktop and select Create New/Blank File. Name the file Home.desktop. Right-click on the file and open it in Leafpad. Copy the following text in the file:
Similarly, create a new Trash.desktop file with the following content:
/usr/share/applications stores desktop files for all installed GUI applications. Copy firefox.desktop file in ~/Desktop folder. If you want to change the name appearing under the icon, edit Name= line in the file.
$ cp /usr/share/applications/firefox.desktop ~/Desktop/.
Most of my software development takes place on a Debian 7 “wheezy” running LXDE. It is stable and provides me with everything I need. I also keep a copy of Fedora on a different partition on my hard disk, the attraction being the latest versions of gcc and glibc. In this article I will take a look at the latest Fedora release.
Usually when installing Linux, my main concern is the RAM memory. In my work I need as much as I can get. One option would be to start with a regular server install, and add X11, LXDE and everything else on top of it. Building such a system from scratch is not exactly difficult. However, today I’m lazy, and I’ll go for a Fedora LXDE Spin install. I will remove after installation everything I don’t need.
The download page is here. The installer still has some problems, for example updating an existing partition tends to get it confused. First boot in the new system I open a terminal and run free command. It uses 220MB of memory, which is not so bad.
The procedure is simple, I look at ps aux output and remove or disable everything I don’t really need.
First one to go is Clipit. It is a clipboard manager that tracks your every key stroke. As you start the system, it tells you politely what it intends to do, and it advises you not to type passwords. I have no idea why would anybody run this on his computer in a post-Snowden world. So, I open a terminal, su and
# yum remove clipit
A friend of yours tells you one day he’s heard so much about Linux and he’s decided to install it on his Windows machine. His computer is already a few years old, a Windows 7 or maybe a Windows XP, and he’s come to you for advice. Could you please help him to install it? No problem, happy to oblige!
The only concern I would have is the RAM memory. It is virtually impossible to persuade anybody to add more memory to an old box, we better make sure the desktop environment we chose will not be slower than his Windows. A memory comparison of various Debian desktop environments helps in this moment:
Debian 7 Memory (MB)
I usually install for them Debian because it is rock solid, and it will more than tamper with some of the bad habits they accumulated as Microsoft users. Once Debian installed, using it is as easy as using Ubuntu. Installation is no different once you go trough it once or twice.
This is a short tutorial on how to burn YouTube videos on a DVD. It might come in handy if you want to watch them on a big TV, or if you want to send them to friends. Or maybe you published them on YouTube for your small business, and you need to send a copy to a client. There are basically three steps: downloading, converting the video to MPEG format, and building the DVD image. All these steps can be accomplished in Linux with free open-source programs.
An easy way to download is to use Video DownloadHelper Firefox extension. It is just a matter of starting the video in YouTube and saving it – always choose the highest quality version available when saving.
Video DownloadHelper Mozilla Extension