Firejail – A Security Sandbox for Mozilla Firefox, Part 3

In August, Mozilla was notified by security researcher Cody Crews that a malicious advertisement on a Russian news site was exploiting a vulnerability in Firefox’s PDF Viewer. The exploit payload searched for sensitive files on users’ local filesystem, and reportedly uploaded them to a server in Ukraine.

I am proud to say Firejail users were protected! The default Firejail configuration blocked access to .ssh, .gnupg and .filezilla in all directories present under /home, while more advanced configurations blocked everything else.

The main focus of Firejail project is GUI application sandboxing, with web browsers being one of the main targets. I will describe some of the new features available in Firejail, and how to use them to sandbox a web browser such as Mozilla Firefox.

A short note before we start. By default, Firefox browser uses a single process to handle multiple windows. When you start the browser, if another Firefox process is already running, the existing process opens a new tab or a new window. Make sure Firefox is not already running when you start it in Firejail sandbox.

Continue reading →

Firejail – A Security Sandbox for Mozilla Firefox, Part 2

In part 2 of this series, we look at some new browser sandboxing developments in Firejail security sandbox. Since the first article was published, many new features have been added. Unlike other sandboxes, the main focus of Firejail project is GUI application sandboxing, with web browsers being, at least for the immediate future, the main target.

Default profiles

Default profiles are stored in /etc/firejail and they describe the sandboxing environment for specific applications. In the latest versions of Firejail, the default profiles are applied automatically unless a different profile is requested by the user. Start it as firejail appname. Examples:

$ firejail firefox
$ firejail chromium
$ firejail midori
$ firejail opera

The sandbox consists of a mount namespace built on top of the current filesystem, with most directories marked read only, several empty system directories, and a manicured home directory. Linux capabilities filters and seccomp-bpf filters are also enabled. You can always check the current profile by running the sandbox with –debug option:
Continue reading →

Firejail – A Security Sandbox for Mozilla Firefox, Part 1

We often find ourselves running applications we received in binary format. These include not only traditional software installed on our computers, but also unauthenticated programs received over the network and run in web browsers. Most of the time these applications are too complex to be bug-free, or can come from an adversary trying to get access to our system.

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications. The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.

Introducing Firejail

The software is written in C and only needs libc and POSIX threads (libpthreads), available by default on any Linux platform. Firejail is included in Ubuntu 15.10 and Debian testing. For other distributions, the download page provides:

• source code (./configure && make && sudo make install)
• .deb packages for Debian/Ubuntu/Mint (dpkg -i firejail.deb)
• .rpm packages for OpenSUSE/Fedora/Centos7(rpm -i firejail.rpm)

An Arch Linux package is available in AUR.

Mozilla Firefox

The command to start Firefox in a Firejail sandbox is:

$ firejail firefox
or
$ firejail --debug firefox

Firefox browser running in a Firejail sandbox

Continue reading →

Adding Home, Trash and Web Icons to Linux Desktop

Home, Trash and Web icons used to be enabled by default on most Linux desktops – not anymore! I am often asked to add them back when I install Linux for some other people. They are part of the workflow, and I am not interested in changing workflows. I am simply interested in moving the user from Windows to Linux. This article describes how I do it for various Linux desktops.

LXDE

To create the icons in LXDE, right-click on the desktop and select Create New/Blank File. Name the file Home.desktop. Right-click on the file and open it in Leafpad. Copy the following text in the file:

[Desktop Entry]
Type=Application
Exec=pcmanfm
Icon=user-home
Terminal=false
StartupNotify=true
MimeType=x-directory/normal;inode/directory;
Name=Home

Similarly, create a new Trash.desktop file with the following content:

[Desktop Entry]
Icon=user-trash
Type=Application
Exec=pcmanfm trash:///
Categories=FileManager;Utilities;GTK;
Terminal=False
StartupNotify=true
MimeType=x-directory/normal;inode/directory;
Name=Trash

/usr/share/applications stores desktop files for all installed GUI applications. Copy firefox.desktop file in ~/Desktop folder. If you want to change the name appearing under the icon, edit Name= line in the file.

$ cp /usr/share/applications/firefox.desktop ~/Desktop/.

LXDE Desktop

Continue reading →

Fedora 19 LXDE Spin Cleanup

Most of my software development takes place on a Debian 7 “wheezy” running LXDE. It is stable and provides me with everything I need. I also keep a copy of Fedora on a different partition on my hard disk, the attraction being the latest versions of gcc and glibc. In this article I will take a look at the latest Fedora release.

Usually when installing Linux, my main concern is the RAM memory. In my work I need as much as I can get. One option would be to start with a regular server install, and add X11, LXDE and everything else on top of it. Building such a system from scratch is not exactly difficult. However, today I’m lazy, and I’ll go for a Fedora LXDE Spin install. I will remove after installation everything I don’t need.

The download page is here. The installer still has some problems, for example updating an existing partition tends to get it confused. First boot in the new system I open a terminal and run free command. It uses 220MB of memory, which is not so bad.

System cleanup

The procedure is simple, I look at ps aux output and remove or disable everything I don’t really need.

First one to go is Clipit. It is a clipboard manager that tracks your every key stroke. As you start the system, it tells you politely what it intends to do, and it advises you not to type passwords. I have no idea why would anybody run this on his computer in a post-Snowden world. So, I open a terminal, su and

# yum remove clipit

Continue reading →

Light Debian Linux for Family and Friends

A friend of yours tells you one day he’s heard so much about Linux and he’s decided to install it on his Windows machine. His computer is already a few years old, a Windows 7 or maybe a Windows XP, and he’s come to you for advice. Could you please help him to install it? No problem, happy to oblige!

The only concern I would have is the RAM memory. It is virtually impossible to persuade anybody to add more memory to an old box, we better make sure the desktop environment we chose will not be slower than his Windows. A memory comparison of various Debian desktop environments helps in this moment:

Debian 7 Memory (MB)

I usually install for them Debian because it is rock solid, and it will more than tamper with some of the bad habits they accumulated as Microsoft users. Once Debian installed, using it is as easy as using Ubuntu. Installation is no different once you go trough it once or twice.

Continue reading →

How to Download and Burn YouTube Videos on a DVD in Linux

This is a short tutorial on how to burn YouTube videos on a DVD. It might come in handy if you want to watch them on a big TV, or if you want to send them to friends. Or maybe you published them on YouTube for your small business, and you need to send a copy to a client. There are basically three steps: downloading, converting the video to MPEG format, and building the DVD image. All these steps can be accomplished in Linux with free open-source programs.

Downloading

An easy way to download is to use Video DownloadHelper Firefox extension. It is just a matter of starting the video in YouTube and saving it – always choose the highest quality version available when saving.

Video DownloadHelper Mozilla Extension

Continue reading →

How to Speed Up Mozilla Firefox

As the Internet goes slower and slower and your Internet Service Provider refuses to go faster and faster, these are three easy things you can do to speed up Mozilla Firefox:

1. Disable IPv6

For a regular web page such as slashdot.org, Firefox needs to resolve more than 40 domain names. Each domain name is resolved twice, once for an IPv4 address and once for an IPv6 address. This results in lots of DNS requests, slowing down your web access. If you are like 99.999% of the population without IPv6 access, translating domain names in IPv6 addresses is useless.

To disable this functionality, type about:config into the address bar. Type ipv6 into the search bar and toggle network.dns.disableIPv6 to true.

2. Install Adblock Plus extension

The extension will cut down most, if not all, advertisements and annoying banners.

3. Install Ghostery extension

The extension removes “invisible” trackers, web bugs, pixels, and beacons placed on web pages by Facebook, Google Analytics, and over 1,000 other ad networks.