I recently installed LMDE2 on a brand new drive, and brought my home folder across. (First time I've actually tried to bring stuff over from an old install.) So, after copying the home folder, installing necessary software, and copying over a few extra conf files - everything is working great!
Except: on my old system, I remember doing two specific things which I can't fully remember in detail:
1. chmod'ing my home folder to help harden my system
2. firejailing firefox
Whatever I did on the old system, it had the effect of blocking Firefox from accessing/seeing any folder on my system other than the ~./Downloads folder. While unhandy at first, it gave me a (false?) sense of security which I now find lacking...I haven't been able to replicate this behavior on my new install.
So, my questions are:
1. Is there any safety gained by setting up firefox to only access a specific folder?
2. Is there a good guide to hardening a LMDE2 system to a reasonable level? Most of the guides I find are for the folks looking to utilize BIOS/CMOS/UEFI logons, secure boots, disabling external devices, etc., etc. Whereas, at this point, I'm looking more towards making hacking my system via a network inconvenient...not necessarily impossible. I'm not necessarily worried about physical access to the computer.
3. Is there some basic "rule of thumb" for chmod'ing folder structures to keep things locked down a bit more than the default?
Thanks!
Fuzzy
[SOLVED] Permissions / Firefox
Forum rules
LMDE 2 has reached end of support as of 1-1-2019
LMDE 2 has reached end of support as of 1-1-2019
[SOLVED] Permissions / Firefox
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 2 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
- Fred Barclay
- Level 12
- Posts: 4185
- Joined: Sat Sep 13, 2014 11:12 am
- Location: USA primarily
Re: Permissions / Firefox
Hi Fuzzy,
Yes, restricting Firefox to ~/Downloads (plus some config folders that Firefox requires to run) is a good way to increase your security. Some of the ways firejail tightens firefox are (assuming your firefox session were to be somehow compromised):
1. The attacker could only see your Downloads and those config files. He/she couldn't make off with your GPG or ssh keys, for instance.
2. If there were some huge bug in Firefox where the attacker would have been able to gain root, firejail would keep this from happening.
3. There's a seccomp filter as well (Chrome uses a seccomp sandbox by default, but Firefox doesn't come with one).
4. The attacker couldn't execute any program in your home... you already close this by chmod'ing (if I understand correctly).
Are you able to see more than Downloads on your new system, through firejailed Firefox? If so, how?
Cheers!
Fred
Yes, restricting Firefox to ~/Downloads (plus some config folders that Firefox requires to run) is a good way to increase your security. Some of the ways firejail tightens firefox are (assuming your firefox session were to be somehow compromised):
1. The attacker could only see your Downloads and those config files. He/she couldn't make off with your GPG or ssh keys, for instance.
2. If there were some huge bug in Firefox where the attacker would have been able to gain root, firejail would keep this from happening.
3. There's a seccomp filter as well (Chrome uses a seccomp sandbox by default, but Firefox doesn't come with one).
4. The attacker couldn't execute any program in your home... you already close this by chmod'ing (if I understand correctly).
Are you able to see more than Downloads on your new system, through firejailed Firefox? If so, how?
Cheers!
Fred
Re: Permissions / Firefox
Hi Fred,
Thanks for the response!
I'm not sure which permissions I really should have set for my home folder...I think I put 700 on it (how do I check? I can check with ls -ll, but I'm never good at converting the rwx stuff to the 777 stuff). What would you recommend it should be? I feel so foolish asking these basic questions - but I had only done this once before (on a whim, so I didn't take notes), and it was so long ago that I've forgotten.
For some reason, on my newly loaded system, Firefox can "save as" to any location on my system. This wasn't the case on my old system. Also, I know that firejail used to make Firefox show that it was running "as supervisor" or some such wording - but it doesn't show that on my new load. Maybe I don't have firejail setup quite right? (Before, I only firejailed Firefox at runtime - from the shortcut, though now I'd like to firejail much more of my system)
Thanks again for the help,
Fuzzy
Thanks for the response!
I'm not sure which permissions I really should have set for my home folder...I think I put 700 on it (how do I check? I can check with ls -ll, but I'm never good at converting the rwx stuff to the 777 stuff). What would you recommend it should be? I feel so foolish asking these basic questions - but I had only done this once before (on a whim, so I didn't take notes), and it was so long ago that I've forgotten.
For some reason, on my newly loaded system, Firefox can "save as" to any location on my system. This wasn't the case on my old system. Also, I know that firejail used to make Firefox show that it was running "as supervisor" or some such wording - but it doesn't show that on my new load. Maybe I don't have firejail setup quite right? (Before, I only firejailed Firefox at runtime - from the shortcut, though now I'd like to firejail much more of my system)
Thanks again for the help,
Fuzzy
Re: Permissions / Firefox
Okay, so the problem with Firejail/Firefox was evidently just an oversite on my part. I checked my shortcut, and it wasn't configured correctly. Now it works fine.
Is there a good "how to" or "recommended" setup for Firejail somewhere? Right now, I'm using it ONLY for firefox, and only from the shortcut.
I am still curious if there's a way to display permissions in the 777/000 format instead of the dwrxxxxx format...and curious which permissions my home folder should have...would 700 be correct?
Thanks again for all the help!
Fuzzy
Is there a good "how to" or "recommended" setup for Firejail somewhere? Right now, I'm using it ONLY for firefox, and only from the shortcut.
I am still curious if there's a way to display permissions in the 777/000 format instead of the dwrxxxxx format...and curious which permissions my home folder should have...would 700 be correct?
Thanks again for all the help!
Fuzzy
- Fred Barclay
- Level 12
- Posts: 4185
- Joined: Sat Sep 13, 2014 11:12 am
- Location: USA primarily
Re: Permissions / Firefox
I think 700 is correct. You can check octal permissions with
xenopeek has written a rather good tutorial for firejail here on the forums: viewtopic.php?f=42&t=240157
Pjotr's website is also great: https://sites.google.com/site/easylinux ... ct/sandbox
I will differ from his recommendation to use the LTS releases. I personally think that you should use the latest release of firejail -- as long as you check the distribution site at https://sourceforge.net/projects/fireja ... /firejail/ frequently for updates (you can use RSS to check automatically). Otherwise, you're better off installing from Mint's repos. You'll get the older LTS version from the repos instead of the newest version, but it will receive security updates properly.
More in-depth documentation is at the main project website: https://firejail.wordpress.com/documentation-2/
Plus, feel free to email or PM me if you can't figure something out.
Cheers, mate!
Fred
EDIT: I just remembered, to get the latest firejail on Mint 18.x without having to use the sourceforge site, you could use this PPA: https://launchpad.net/%7Edeki/+archive/ubuntu/firejail
I don't normally recomment PPAs, but I trust the guy who provides this one, and he's also the firejail packager for Debian.
stat -c "%a %n" ~
xenopeek has written a rather good tutorial for firejail here on the forums: viewtopic.php?f=42&t=240157
Pjotr's website is also great: https://sites.google.com/site/easylinux ... ct/sandbox
I will differ from his recommendation to use the LTS releases. I personally think that you should use the latest release of firejail -- as long as you check the distribution site at https://sourceforge.net/projects/fireja ... /firejail/ frequently for updates (you can use RSS to check automatically). Otherwise, you're better off installing from Mint's repos. You'll get the older LTS version from the repos instead of the newest version, but it will receive security updates properly.
More in-depth documentation is at the main project website: https://firejail.wordpress.com/documentation-2/
Plus, feel free to email or PM me if you can't figure something out.
Cheers, mate!
Fred
EDIT: I just remembered, to get the latest firejail on Mint 18.x without having to use the sourceforge site, you could use this PPA: https://launchpad.net/%7Edeki/+archive/ubuntu/firejail
I don't normally recomment PPAs, but I trust the guy who provides this one, and he's also the firejail packager for Debian.
Re: Permissions / Firefox
Thanks Fred! (and Xenopeek!) Those Firejail tutorials were exactly what I was looking for! I'll dig through the profiles and see what all else it does. Pretty cool stuff!
Also - thanks for the stat command and the offer for help if I run into problems.
Fuzzy
Also - thanks for the stat command and the offer for help if I run into problems.
Fuzzy