[SOLVED] Permissions / Firefox

Archived topics about LMDE 1 and LMDE 2
Locked
Fuzzy
Level 4
Level 4
Posts: 251
Joined: Thu Jul 28, 2011 11:54 am

[SOLVED] Permissions / Firefox

Post by Fuzzy »

I recently installed LMDE2 on a brand new drive, and brought my home folder across. (First time I've actually tried to bring stuff over from an old install.) So, after copying the home folder, installing necessary software, and copying over a few extra conf files - everything is working great!

Except: on my old system, I remember doing two specific things which I can't fully remember in detail:
1. chmod'ing my home folder to help harden my system
2. firejailing firefox

Whatever I did on the old system, it had the effect of blocking Firefox from accessing/seeing any folder on my system other than the ~./Downloads folder. While unhandy at first, it gave me a (false?) sense of security which I now find lacking...I haven't been able to replicate this behavior on my new install.

So, my questions are:
1. Is there any safety gained by setting up firefox to only access a specific folder?
2. Is there a good guide to hardening a LMDE2 system to a reasonable level? Most of the guides I find are for the folks looking to utilize BIOS/CMOS/UEFI logons, secure boots, disabling external devices, etc., etc. Whereas, at this point, I'm looking more towards making hacking my system via a network inconvenient...not necessarily impossible. I'm not necessarily worried about physical access to the computer.
3. Is there some basic "rule of thumb" for chmod'ing folder structures to keep things locked down a bit more than the default?

Thanks!
Fuzzy
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 2 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4185
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: Permissions / Firefox

Post by Fred Barclay »

Hi Fuzzy,
Yes, restricting Firefox to ~/Downloads (plus some config folders that Firefox requires to run) is a good way to increase your security. Some of the ways firejail tightens firefox are (assuming your firefox session were to be somehow compromised):
1. The attacker could only see your Downloads and those config files. He/she couldn't make off with your GPG or ssh keys, for instance.
2. If there were some huge bug in Firefox where the attacker would have been able to gain root, firejail would keep this from happening.
3. There's a seccomp filter as well (Chrome uses a seccomp sandbox by default, but Firefox doesn't come with one).
4. The attacker couldn't execute any program in your home... you already close this by chmod'ing (if I understand correctly).

Are you able to see more than Downloads on your new system, through firejailed Firefox? If so, how?

Cheers!
Fred
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
Fuzzy
Level 4
Level 4
Posts: 251
Joined: Thu Jul 28, 2011 11:54 am

Re: Permissions / Firefox

Post by Fuzzy »

Hi Fred,

Thanks for the response!

I'm not sure which permissions I really should have set for my home folder...I think I put 700 on it (how do I check? I can check with ls -ll, but I'm never good at converting the rwx stuff to the 777 stuff). What would you recommend it should be? I feel so foolish asking these basic questions - but I had only done this once before (on a whim, so I didn't take notes), and it was so long ago that I've forgotten.

For some reason, on my newly loaded system, Firefox can "save as" to any location on my system. This wasn't the case on my old system. Also, I know that firejail used to make Firefox show that it was running "as supervisor" or some such wording - but it doesn't show that on my new load. Maybe I don't have firejail setup quite right? (Before, I only firejailed Firefox at runtime - from the shortcut, though now I'd like to firejail much more of my system)

Thanks again for the help,
Fuzzy
Fuzzy
Level 4
Level 4
Posts: 251
Joined: Thu Jul 28, 2011 11:54 am

Re: Permissions / Firefox

Post by Fuzzy »

Okay, so the problem with Firejail/Firefox was evidently just an oversite on my part. I checked my shortcut, and it wasn't configured correctly. Now it works fine.

Is there a good "how to" or "recommended" setup for Firejail somewhere? Right now, I'm using it ONLY for firefox, and only from the shortcut.

I am still curious if there's a way to display permissions in the 777/000 format instead of the dwrxxxxx format...and curious which permissions my home folder should have...would 700 be correct?

Thanks again for all the help!
Fuzzy
User avatar
Fred Barclay
Level 12
Level 12
Posts: 4185
Joined: Sat Sep 13, 2014 11:12 am
Location: USA primarily

Re: Permissions / Firefox

Post by Fred Barclay »

I think 700 is correct. You can check octal permissions with stat -c "%a %n" ~

xenopeek has written a rather good tutorial for firejail here on the forums: viewtopic.php?f=42&t=240157

Pjotr's website is also great: https://sites.google.com/site/easylinux ... ct/sandbox
I will differ from his recommendation to use the LTS releases. I personally think that you should use the latest release of firejail -- as long as you check the distribution site at https://sourceforge.net/projects/fireja ... /firejail/ frequently for updates (you can use RSS to check automatically). Otherwise, you're better off installing from Mint's repos. You'll get the older LTS version from the repos instead of the newest version, but it will receive security updates properly.

More in-depth documentation is at the main project website: https://firejail.wordpress.com/documentation-2/

Plus, feel free to email or PM me if you can't figure something out. :)

Cheers, mate!
Fred

EDIT: I just remembered, to get the latest firejail on Mint 18.x without having to use the sourceforge site, you could use this PPA: https://launchpad.net/%7Edeki/+archive/ubuntu/firejail
I don't normally recomment PPAs, but I trust the guy who provides this one, and he's also the firejail packager for Debian.
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein
Fuzzy
Level 4
Level 4
Posts: 251
Joined: Thu Jul 28, 2011 11:54 am

Re: Permissions / Firefox

Post by Fuzzy »

Thanks Fred! (and Xenopeek!) Those Firejail tutorials were exactly what I was looking for! I'll dig through the profiles and see what all else it does. Pretty cool stuff!

Also - thanks for the stat command and the offer for help if I run into problems.

Fuzzy
Locked

Return to “LMDE Archive”