Firejail

[Abarbarian]

https://l3net.wordpress.com/2014/09/19/firejail-a-security-sandbox-for-mozilla-firefox/

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications. The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.

The sandbox runs a chroot filesystem built on the fly on top of your current filesystem. Directories are either mounted read-only or totally cleared, files with passwords and encryption keys are blocked, and your private information in user home directory is unavailable. In fact, only two directories are imported from your home, ~/.mozilla and ~/Downloads. All the modifications in these directories are persistent. Everything else is created in a temporary filesystem and will be discarded when the browser is closed.

Private mode always starts the browser with factory defaults, protecting it from malicious addons and plugins the user might have installed in the past. It is mainly used for accessing bank websites and alike:

$ firejail --private firefox


For more information about private mode and high security browser setups see part 3 of this series.

Oh and if you think that as a Chrome user you do not need this program as you are fully sandboxed in Chrome,,,

The funny part is Chromium browser sandboxes itself in its own Linux namespaces SUID sandbox, so what you have here is a sandbox in a sandbox running a browser. Chromium sandbox is similar to Firejail, it implements its own seccomp filter, but it leaves the filesystem wide open.

Even penguins can do with a bit of security.

 

[Abarbarian]

I use firejail with FireFox when I am doing internet financial stuff and then close down the program. T carry on ordinary surfing I then open up a fresh FF. I do this via a " alias " It only took me a few moments to set up and is no trouble to run and I have a touch more security. Now I have a more powerful pc I will set up FF or Chrome to run in a firejail configuration all the time.

firejail --private firefox

Here are some more links to ways to use and run firejail.

https://firejail.wordpress.com/documentation-2/firefox-guide/

http://www.linux-magazine.com/Issues/2015/173/Firejail

For Mint users there is no need to use an alias as this thread shows.

https://forums.linuxmint.com/viewtopic.php?t=202735

 

[Abarbarian]

Security whilst surffing the net is esential these days and even GNU/Linux users would be wise to take additional steps to lock down their computers.

FIREJAIL

In August 2015, Mozilla was notified by security researcher Cody Crews that a malicious advertisement on a Russian news site was exploiting a vulnerability in Firefox’s PDF Viewer. The exploit payload searched for sensitive files on users’ local filesystem, and reportedly uploaded them to the attacker’s server. The default Firejail configuration blocked access to .ssh, .gnupg and .filezilla in all directories present under /home. More advanced sandbox configurations blocked everything else.

I had previously given a way to use firejail to make FireFox more secure and whilst that was pretty secure here is an even more secure way to use FireFox. I am using this for internet banking only as everytime you use it you get a brand new clean basic FireFox whithout all your bookmarks and add-ons. So I have made a alias for this particular set up and only use it to do banking stuff.

High security browser setup
Use this setup to access your bank account, or any other site dealing with highly sensitive private information. The idea is you trust the site, but you don’t trust the addons and plugins installed in your browser. Use –private Firejail option to start with a factory default browser configuration, and an empty home directory.

Also, you would need to take care of your DNS setting – current home routers are ridiculously insecure, and the easiest attack is to reconfigure DNS, and redirect the traffic to a fake bank website. Use –dns Firejail option to specify a DNS configuration for your sandbox:

$ firejail --private --dns=8.8.8.8 --dns=8.8.4.4 firefox -no-remote

The two DNS servers above belong to Google, and at least one national security agency has access to logging information. Don’t use them for anything else than banking. We also add -no-remote so we don’t end up by mistake in an already running “entertainment” browser.

Ther is one important instruction to note in the above " -no-remote ". This is included because,

Note: by default, a single Firefox process instance handles multiple browser windows. If you already have Firefox running, you would need to use -no-remote command line option, otherwise you end up with a new tab or a new window attached to the existing Firefox process:

As I never haave another instance of FireFox running whilst doing my banking I omit " -no-remote " from my alias like so,

$ firejail --private --dns=8.8.8.8 --dns=8.8.4.4 firefox

Have fun with your penguin and keep safe folks.

 

[bootneck02]

Thanks for that AB and for the links.

 

[Abarbarian]

I was sure that I had started a thread about ZIM but it seems I have not.

https://zim-wiki.org/

Zim

is a graphical text editor used to maintain a collection of wiki pages. Each page can contain links to other pages, simple formatting and images. Pages are stored in a folder structure, like in an outliner, and can have attachments. Creating a new page is as easy as linking to a nonexistent page. All data is stored in plain text files with wiki formatting. Various plugins provide additional functionality, like a task list manager, an equation editor, a tray icon, and support for version control.

Zim

can be used to:

• Keep an archive of notes
• Keep a daily or weekly journal
• Take notes during meetings or lectures
• Organize task lists
• Draft blog entries and emails
• Do brainstorming

Just wanted to show how useful a program it is for forgetful folk like meself. I have created a Zim notebook called ArchWay that has a alphabetical menu running down the right hand side. So here is my ZIM entry for Firejail in my ArchWay notebook.

I find Zim to be a most useful program. I like the way it automatically creates links, saves on shutdown, the coloured highlighting,the way you can link to other relevant pages. image inclusion etc etc .