1 Comment

Sandfoxing Firefox (imho Necessary)

Posted by Todd Partridge (Gently) on 2013-02-24 in Command Line, Network, Security

Sandboxing-Firefox

Of all the applications that we use the net for, the web browser is probably the most likely used so it makes sense to protect it. Firefox is really good about security but an occasionaly blip can happen and you can’t count on plug-ins that work through Firefox and can have direct access to the hardware. Security issues regarding Firefox-related networking need to be taken for real. The good news is that someone was smart enough to create a script that creates a sandbox for Firefox and it’s easy to use.

What is a sandbox

A sandbox is a an environment created of programs, libraries that is required to run a certain program(s). In that environment, programs can run normally but are unable to access anything outside of it. It is a very secure way of networking an application.

What is needed

IgnorantGuru did the work and the details on how to install it can be found here. After installing it (and inotify-tools) to run it basically do:

sandfox --profile firefox firefox

Additional security

Before running that though I recommend an additional security measure to lock down flash-folders:

sudo chmod ugo-wx ~/.adobe ~/.macromedia

Then also protect them in the script:

sudo sed -i 's_^hide=/home/\\$user/.adobe.*$_bindro=/home/\\$user/.adobe      # bind folder read-only_g' /usr/bin/sandfox
sudo sed -i 's_^hide=/home/\\$user/.macromedia.*$_bindro=/home/\\$user/.macromedia # bind folder read-only_g' /usr/bin/sandfox

Desktop file

Creating a .desktop file is a bit more practical and can be done by doing:

cp /usr/share/applications/firefox.desktop ~/.local/share/applications/firefox-sandfox.desktop ~/.local/share/applications/firefox-sandfox.desktop

Then change the Exec line in firefox-sandfox.desktop to gksudo --disable-grab "sandfox --profile firefox firefox", and refresh the database:

update-desktop-database -q

To make it executable by clicking on it do:

chmod +x ~/.local/share/applications/firefox-sandfox.desktop

cleanup

Here are .service files for systemd that will remove old sandboxes on poweroff and load:

sudo systemctl enable sandfox-closeall-poweroff.service sandfox-rm.service

About these ads
Permalink

About Todd Partridge (Gently)

Good times, good people, good fun.

One comment on “Sandfoxing Firefox (imho Necessary)

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 43 other followers

%d bloggers like this: