View previous topic :: View next topic |
Author |
Message |
viio n00b
Joined: 17 Mar 2020 Posts: 33
|
Posted: Thu Apr 02, 2020 12:35 pm Post subject: Sandboxing: doas/sudo | permissions | xhost |
|
|
Hi,
I wanted to follow this guide about sandboxing applications like Firefox.
In the guide they use 'sudo'.
Currently I'm using 'doas' instead of sudo and I'm asking if it is possible to do the same with doas?
Yeah sure I could simply install sudo but what's the point in having two similar programs installed?
I'd find it better if I could get it to work with doas.
My doas.conf file looks like this:
Code: | # /etc/doas.conf
permit nopass myuser as firefox cmd /user/bin/firefox
|
But when I try to launch Firefox with the following command:
Code: | doas -u firefox /usr/bin/firefox |
I get the following error message:
Code: | Error: Access was denied while trying to open files in your profile directory.
JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
Home directory not accessible: Permission denied
W: [pulseaudio] core-util.c: Failed to open configuration file '/home/myuser/.config/pulse//daemon.conf': Permission denied
W: [pulseaudio] daemon-conf.c: Failed to open configuration file: Permission denied |
Notice that [pulseaudio] message: It tried to open a file in "/home/myuser" while it should be "/home/firefox".
The doas.conf manpage has two interesting options:
Code: | keepenv The user's environment is maintained.
The default is to reset the environment, except for the variables
DISPLAY, HOME, LOGNAME, MAIL, PATH, TERM, USER and USERNAME.
setenv { [variable ...] [variable=value ...] }
In addition to the variables mentioned above, keep the space-separated
specified variables. Variables may also be removed with a leading ‘-’
or set using the latter syntax. If the first character of value is a
‘$’ then the value to be set is taken from the existing environment
variable of the same name.
|
I understand it like this:
If the option "keepenv" is not set, all the above variables are kept.
Since one of them is "HOME", that would explain why it is looking for a cofing file in the wrong user's home directory.
From my understanding that means I should reset some of the mentioned variables like this:
Code: | # /etc/doas.conf
permit nopass setenv { -HOME } myuser as firefox cmd /user/bin/firefox
|
If I do it like this - it works!
But I'm still receiving some error messages when I launch Firefox. However I'm not sure if these are related to sandboxing?
I'm using a new & empty Firefox profile.
Code: | doas -u firefox /usr/bin/firefox
1585832751598 addons.webextension.screenshots@mozilla.org WARN Loading extension 'screenshots@mozilla.org': Reading manifest: Invalid extension permission: mozillaAddons
1585832751599 addons.webextension.screenshots@mozilla.org WARN Loading extension 'screenshots@mozilla.org': Reading manifest: Invalid extension permission: telemetry
1585832751599 addons.webextension.screenshots@mozilla.org WARN Loading extension 'screenshots@mozilla.org': Reading manifest: Invalid extension permission: resource://pdf.js/
1585832751599 addons.webextension.screenshots@mozilla.org WARN Loading extension 'screenshots@mozilla.org': Reading manifest: Invalid extension permission: about:reader*
JavaScript error: undefined, line 14: Error: An unexpected error occurred
JavaScript error: moz-extension://33b9e244-5bfb-42a7-bc23-fda7184f77fb/lib/picture_in_picture_overrides.js, line 15: Error: Incorrect argument types for pictureInPictureParent.setOverrides.
JavaScript error: resource:///modules/sessionstore/SessionStore.jsm, line 1325: uncaught exception: 2147746065 |
Now I have some questions:
- Is it enough to reset the "HOME" variable or are there some others that I should reset? Since I sandbox Firefox for security reasons I'm asking if it maybe is a security risk to NOT RESET more of these variables?
- How does 'sudo' handle these variables?
----------
Then I have another question regarding this topic: Permissions
(Sorry, I still didn't fully understand the unix permissions... xD)
My normal user needs to have read+write access to the following locations:
- /home/firefox/Downloads/ (for obvious reasons)
- /home/firefox/.mozilla/firefox/ (to edit and backup the profile folder)
Here it says I should do the following:
Code: | chgrp larry /home/ff
chmod 770 /home/ff |
I guess I could simply adopt it to my needs like this:
Code: | chgrp myuser /home/firefox/Downloads
chmod 770 /home/firefox/Downloads |
But what is with the profile folder? The permissions currently look like this:
Code: | /home/firefox/.mozilla/firefox/wljxd0rr.default-default # ls -al
insgesamt 14220
drwx------ 7 firefox firefox 4096 2. Apr 15:06 .
drwx------ 4 firefox firefox 4096 2. Apr 15:05 ..
-rw------- 1 firefox firefox 45 2. Apr 15:05 addons.json
-rw------- 1 firefox firefox 2700 2. Apr 15:05 addonStartup.json.lz4
drwx------ 2 firefox firefox 4096 2. Apr 15:05 bookmarkbackups
-rw------- 1 firefox firefox 204 2. Apr 15:06 broadcast-listeners.json
-rw------- 1 firefox firefox 28672 2. Apr 15:05 cert9.db
-rw------- 1 firefox firefox 166 2. Apr 15:05 compatibility.ini
-rw------- 1 firefox firefox 939 2. Apr 15:05 containers.json
-rw-r--r-- 1 firefox firefox 229376 2. Apr 15:05 content-prefs.sqlite
-rw-r--r-- 1 firefox firefox 131072 2. Apr 15:05 cookies.sqlite
drwx------ 2 firefox firefox 4096 2. Apr 15:05 datareporting
-rw------- 1 firefox firefox 1207 2. Apr 15:05 extension-preferences.json
drwx------ 2 firefox firefox 4096 2. Apr 15:05 extensions
-rw------- 1 firefox firefox 72779 2. Apr 15:05 extensions.json
-rw-r--r-- 1 firefox firefox 5242880 2. Apr 15:05 favicons.sqlite
-rw-r--r-- 1 firefox firefox 1082168 2. Apr 15:05 favicons.sqlite-wal
-rw------- 1 firefox firefox 542 2. Apr 15:05 handlers.json
-rw------- 1 firefox firefox 36864 2. Apr 15:05 key4.db
-rw-rw-r-- 1 firefox firefox 0 2. Apr 15:05 .parentlock
-rw-r--r-- 1 firefox firefox 98304 2. Apr 15:05 permissions.sqlite
-rw------- 1 firefox firefox 479 2. Apr 15:05 pkcs11.txt
-rw-r--r-- 1 firefox firefox 5242880 2. Apr 15:05 places.sqlite
-rw-r--r-- 1 firefox firefox 2164304 2. Apr 15:05 places.sqlite-wal
-rw------- 1 firefox firefox 6635 2. Apr 15:06 prefs.js
-rw------- 1 firefox firefox 2605 2. Apr 15:05 search.json.mozlz4
-rw------- 1 firefox firefox 90 2. Apr 15:05 sessionCheckpoints.json
drwx------ 2 firefox firefox 4096 2. Apr 15:05 sessionstore-backups
drwxr-xr-x 3 firefox firefox 4096 2. Apr 15:05 storage
-rw-r--r-- 1 firefox firefox 512 2. Apr 15:05 storage.sqlite
-rw------- 1 firefox firefox 50 2. Apr 15:05 times.json
-rw-r--r-- 1 firefox firefox 32768 2. Apr 15:05 webappsstore.sqlite
-rw-r--r-- 1 firefox firefox 98408 2. Apr 15:05 webappsstore.sqlite-wal
-rw------- 1 firefox firefox 137 2. Apr 15:06 xulstore.json |
should I just do the following or would this be bad or break anything for some reason?
Code: | chgrp -R myuser /home/firefox/.mozilla/firefox
chmod -R g+r,g+w,g+x /home/firefox/.mozilla/firefox |
----------
One last question:
xhost si:localuser:firefox
Some sentences later the command is executed like this:
Code: | sh -c 'xhost si:localuser:ff && sudo -u ff firefox' |
I'm confused now. When do I have to launch this command?
- One time only?
- Once per session?
- Everytime I start Firefox?
----------
Wow... that was much more than I wanted to write...
Thank you very much for your time if you kept reading until here.
I appreciate it. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21607
|
Posted: Fri Apr 03, 2020 1:27 am Post subject: |
|
|
If your account permissions are set correctly, then the only security reason to worry about environment variables leaking through to Firefox would be if you have sensitive environment variables, such as passwords. You shouldn't be putting passwords in environment variables.
You probably want to reset all variables that are specific to your user. HOME, USER, LOGNAME come to mind immediately. Run env and inspect the output for any others you may need. These resets are not necessarily for security, but rather to avoid confusing the program.
If you are not comfortable with Linux permissions, perhaps you should use a tool that provides a bit more help. Firejail could be a good choice. Running the browser as the same user id, but in namespaces to keep it confined away from the rest of the system, may be more trouble to set up, but is easier to handle in the long term, because your regular user has full access to the browser's state. |
|
Back to top |
|
|
viio n00b
Joined: 17 Mar 2020 Posts: 33
|
Posted: Fri Apr 03, 2020 9:12 am Post subject: |
|
|
Okay thank's I'll look into env.
Yeah maybe but somewhen I have to get familiar with these permissions, so I'll keep it this way for now. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|