CtrlAltDel wrote: ⤴Thu Oct 28, 2021 11:09 pm
ThaCrip wrote: ⤴Wed Oct 20, 2021 5:37 am
if you want a little extra security... sandbox (Firejail) your browser.
Here are the last 3 real-life reviews of Firejail in Mint's very own Software Manager:
I don't know if taking a swing at my box or laptop with a 20 pound sledgehammer will totally destroy them and every component within them, they may even still work after that, but why take a chance? That's some pretty heady language with terms like "destroyed" and "severely screwed up" and "totally killed" being used.
Is there another SUID program that can be used to sandbox Firejail with in order to safely try it out?
I am using Mint v20.2-Cinnamon and I just install Firejail from the proper deb file (from here...
https://sourceforge.net/projects/fireja ... /firejail/ ; I am using "firejail_0.9.64.4_1_amd64.deb" ; that won't get automatically updated though as you have to manually keep it updated but this generally won't be a real problem since I can't imagine there is any security related flaws found all that often in regards to Firejail itself. so you can just manually check once in a while and update accordingly) and then manually adjust Firefox browser shortcut I made on the desktop to use Firejail (i.e. "firejail firefox %u" ) and I don't have any issues and have been using that for quite some time now. if I don't want to use Firejail I just load up the browser like usual since it does not modify any shortcuts this way. so basically if I load Firefox from the usual icon or start menu, it still loads Firefox normally WITHOUT Firejail. but if I load Firefox from the shortcut I made on my desktop, which I adjusted with that "firejail firefox %u", then it uses Firejail sandbox. you can tell if Firejail is currently running on any processes (like Firefox or Chrome etc) by issuing "firejail --list" from the terminal. if it does not show anything then it's not being used. but if your using Firejail, on Firefox for example, then you will see something like... "1111:user::firejail firefox".
I did manually tweak some configuration files so that the browser is a bit more locked down so it can only save files to usual folder it does by default (which I think is the 'Downloads' folder) and a custom folder I made on another hard drive (I got my main SSD boot drive along with three other hard drives connected but when Firejail is running, Firefox can only access the custom folder I allowed on one of my hard drives (and the usual 'Downloads' folder on the main boot drive as expected) as the other hard drives are not visible to Firefox when running Firejail. so with the way I currently have my Firejail configured, Firefox cannot access or even see my 4TB/5TB hard drives etc which it normally would have access to when running Firefox browser normally). then I further tweaked Firejail configuration so programs running through Firejail cannot access my password managers database file as while it does filter out some password managers by default, it does not filter the particular one I use (i.e. 'Password Safe' (in Software Manager you search for 'passwordsafe' (without the '), but I run the newest one from here...
https://sourceforge.net/projects/passwo ... les/Linux/ )) so that the ".pwsafe" folder (which is where Password Safe stores it's main password database file and general data) is still accessible in the Home folder when Firefox is running in it's default state without Firejail. but when Firejail is running, after I applied some custom tweaks so it can no longer see that ".pwsafe" folder, it can no longer access that folder through the browser itself.
put "file:///" (without the ") into Firefox and press enter and you can see the folders it can access. doing that without Firejail on my system gives it more access to areas that it cannot see when Firejail is running.
so using Firejail like I am you should be pretty safe as it won't mess up your system. but as a precaution, it's always better to be safe than sorry, so make backups when doing anything potentially risky that your a bit unsure of as this way even if something gets out of whack you can easily revert those changes. I typically make a image of my hard drive with Clonezilla (basically I image my main SSD boot drive with Mint on it to a image file on another hard drive I have) before doing anything a bit more unknown because I know I can easily revert things back to EXACTLY the way they were when it was imaged since when you restore a Clonezilla image it restores things back to exactly how things were at the time you imaged it, so anything added or deleted since will be wiped and it will be returned to the exact state at the time you imaged it.
but in short... I install Firejail from that deb file I mentioned, then if you want to use Firejail with Firefox browser, you would then go to start menu and find the 'Firefox Web Browser' there, right click it, then select 'add to desktop'. then at this point you right click the Firefox browser icon on the desktop, select 'properties', then on the 'basic' tab you will see a bit below that where it says "Command:" you put "firejail firefox %u" (without the ") in there and then 'close' and then from now on when you want to use Firejail with Firefox browser you simply run it from that desktop icon and it will automatically use Firejail. but if you want to use Firefox normally, close out of the browser, then load up Firefox from the usual icon at bottom left area of the screen, or from the usual Mint menu.
but with all of that said... even using Firefox on Mint without Firejail is probably not going to be hacked anytime soon by just visiting a web page, especially if you keep it updated. so you don't have to use Firejail if you don't want to even though it does increase security a bit by using it. but... whether Firejail is worth your time to setup could be debatable given Linux is pretty secure right off the start. my guess is for most people it's not worth the effort, but I do it for good measure