On Sun, 29 Nov 2015 07:08:57 -0700 "Anthony J. Bentley" <anth...@anjbe.name> wrote: > Lampshade writes: > > Is it possible, in theory, to use pledge(2) to make something similar to > > fire > > jail? > > https://packages.debian.org/sid/main/firejail > > Firejail is a Gnu/Linux's program which executes Firefox as it's descendant > > with reduced privilages. > > For example I would like to restrict Firefox to not write and read to > > directo > > ry > > outside /home/firefox directory. Let's assume that I run firefox as another > > u > > ser than > > my normal account. I would restrict, using traditional Unix privilages, > > Firef > > ox > > and all its descendants, logging as another user to regain privilages to > > for example to /home/open. I imagine that would still leave huge attack > > vecto > > r > > to pown system and/or sniff password, but I think it is better than nothing. > > After the recent Firefox pdf.js exploit (where malicious PDFs on an ad > server were reading files under ~, including ssh keys), I started > running Firefox as its own user, and tightened the permissions on my > home directory so Firefox can't access it. > > There's a large class of attacks this doesn't help against (anything > that uses X to access keystrokes or similar) but it stops a large set of > potential Firefox exploits right away with nothing but Unix filesystem > permissions. > > http://lists.dragonflybsd.org/pipermail/users/2015-August/228324.html > > -- > Anthony J. Bentley >
you can mitigate those X attacks using 'ssh -X'. i detailed a number of mitigations here in 'isolating untrusted programs in ssh chroot jails' (https://marc.info/?l=openbsd-misc&m=142676615612510&w=2). it has been reported that those methods work for firefox as well. if going the route of chroot itself is too extreme, you would still profit from some of the other information in that post ie X11 Security Extensions, Xephyr. for pdfs, i have a chroot under a user who is denied access to the net via pf. i find it a good idea to only allow specific users access, eg: pass out log quick on $intif proto tcp user { browse, 1000, pfetch } pass out log quick on $intif proto udp user { browse, 1000, pfetch } even root is denied net access with the above.
