Firejail for Firefox or the Noscript browser add-on? [SOLVED]

[PringleBeagle]

I'm new to Linux Mint (20.2, Cinnamon) but not feeling 100% confident about security. I installed Firejail through Software manager but it's been buggy. I have to open the browser through Firetools each time. I previously tried firecfg via the terminal but several programs wouldn't open at all, i.e., VSCode so I rolled it back with the --clean command.

Now Firefox sometimes works depending on whether the Noscript add-on is enabled. If it is, the page loads but quickly becomes unresponsive, then loads a ton of pop-up Noscript error messages.

If it's an either/or choice between running a sandboxed browser or one with Noscript, which is more effective?

I'd planned on using Firejail to sandbox Firefox, but should I be thinking broader than that and sandboxing Thunderbird, LibreOffice (and the other default programs in Firetools)? In which case, is there a more compatible sandboxing suite I should check out?

This is a full Mint installation on a desktop PC (Lenovo).

Thanks for any pointers!

[Aztaroth]

I'm new to Linux Mint (20.2, Cinnamon) but not feeling 100% confident about security.

With such a topic title, you'll get tons of contradictory advices. So, I won't give you any . Just links to privacy oriented associations, the reading of which may help you making the best decisions about browser, adds, privacy tools...

1) Electric Frontier Foundation
https://www.eff.org/pages/tools
see at least their tools (Privacy Badger and HTTPS Everywhere) and Cover your Tracks which will tell you if everybody will know the color of your pants after each web session.

2) Privacy Tools
https://www.privacytools.io/
will give you lists of safe tools by category (browser, add-ons, mail, search engines, VPNs, clouds...) to help you make choices suiting to your needs.

The rest is yours. You're the only qualified person to set your threat profile (means what you want to prevent). Advices beginning with 'I do', 'I set' may obviously suit the one who's saying it but may not match your needs or wishes. That's why I refrained from it.

[Petermint]

My Firefox with Noscript runs ok in Firejail. I did have to fiddle with a Firejail setting and do not remember what it was. Some Web sites fail without a message while the well behaved ones will put up a message about their Javascript use.

Firejail stops the stuff running inside of Firefox from grabbing stuff outside of Firefox. It is similar to some of the "private browser" options in new Web browsers. You generally do not need Firejail for things that are only running inside your local machine, like LibreOffice.

Any application that has add-on options may allow the download of an untested or pirate add-on, a reason to use Firejail. Any application that allows scripts is worth protecting. One of the reasons I do not use install options like Composer, is the automatic installation of a heap of things without any warning. You never know what you will get. Firejail cannot protect you from those problems.

[PringleBeagle]

Thank you @Aztaroth and @Petermint. Ideally I'd like to have both Firejail and Noscript at the same time, so I'll take a look at settings - or alternatives. I'd read a few reviews saying Firejail could be problematic on Mint 20.2 so I had a feeling it might not be completely straightforward!

@Petermint, do you know or remember how to add and remove individual default programs so they automatically run sandboxed without having to access via Firetool or command line? The universal firecfg route didn't work for me.

Adding Thunderbird and other programs to the sandbox makes sense, but I wish the workflow was a bit smoother. I do regularly send and receive attachments: am I right in thinking I need to first put these in a safe folder, like Downloads?

[Petermint]

Code: Select all

firejail firefox %u

The firefox entry in my menu.

There are relevant questions and answers in the following post and similar.
viewtopic.php?t=338344

[MikeNovember]

Hi,

Two different problems.

- The use of NoScript extension: most of websites DO NOT WORK without javascript and other things blocked by default by NoScript. If you really want to use this extension, you should test every website you browse: 1st with default settings blocked scripts, if all is ok, don't change anything; if something is wrong, allow scripts temporarily and reload web page, if all is now OK with this setting you will have to choose to permanently allow scripts if you trust the website, or go back to the default blocking and don't use the website. It is a tedious process, for an evident answer: 99% of websites do use javascript and force you to allow scripts if you want to use them.
NoScript should be reserved to safe browsing on websites where you should not go, and it is preferable to avoid these websites, with or without Noscript.

- The use of Firejail: Firejail allows to use an application in a sandbox, which increases security of apps, particularly when they connect to internet. Firecfg should be avoided: it runs in sandboxes lots of apps, including ones not connecting to internet, and prevents some normal function of apps (as en example, your pdf thumbnails are no longer refreshed, and show the default pdf icon instead of the thumbnail of the content). Firejail has default settings, and if firejailed Firefox does not work like you want, it is difficult to understand the settings and to change them (this includes the fact that there is no support on Firejail web site and no Firejail user forum).

An easier way to use Firefox in a sandbox is to use its flatpak version; you can install it by the command:

Code: Select all

flatpak install org.mozilla.firefox

Sandbox settings for each flatpak app can be easily set graphically with flatseal, itself a flatpak app that you can install with:

Code: Select all

flatpak install com.github.tchx84.Flatseal

Its integrated documentation explains the meaning of all of the settings (permissions) allowed to a flatpak app.

Finally, you can avoid tracking and ads in Firefow with three extensions: HTTPS everywhere, Privacy Badger and uBlock Origin.

Regards,

MN

[PringleBeagle]

Great, thanks again @Petermint. And thanks for the context @MikeNovember. I'll think about my browser extensions - I already use the ones you've mentioned and have been reading more about Noscript today, so am coming to the conclusion it's probably overkill (for me). So that fixes that aspect

I'm going to play around with Firejail a bit more too. Thunderbird is quite clunky for me anyway - it doesn't always happily sync with external email, task and calendar providers so tbh it would solve a problem to take that out of the equation (for the time being) as well.

Thanks everyone for sharing suggestions.