The officially official Devuan Forum!

You are not logged in.

#1 2016-12-03 00:24:58

catprints
Member
Registered: 2016-11-30
Posts: 53

browser security DIY

https://www.nexlab.net/      Hope it is ok to post this here. Nextime has an interesting article on browser security. A bit above my head but usable information and instructions. Also other interesting stuff.


"The obstacle is the path."

Offline

#2 2016-12-04 03:56:27

chillfan
Member
Registered: 2016-12-01
Posts: 16

Re: browser security DIY

I've tinkered with firejail but not much beyond the default profiles. I'll have to give this a read. Nice find smile

Last edited by chillfan (2016-12-04 03:56:45)

Offline

#3 2016-12-12 22:20:29

fsmithred
Administrator
Registered: 2016-11-25
Posts: 377

Re: browser security DIY

Wow. I read the article. That's a lot to digest. I've been using firejail for a few months, but just with the default settings. I also tried it with firetools, a graphical front end, but I didn't like it. Couldn't figure out how to edit the menu to show just the apps I wanted to use. So I wrote my own front end.

firemenu is a bash script that uses yad for a graphical front end. It presents a list of applications that have firejail profiles, and you can filter the list to just show the apps you normally use.

https://sourceforge.net/projects/refrac … nu-1.2.deb
https://github.com/fsmithred/firemenu

Offline

#4 2016-12-13 13:50:14

catprints
Member
Registered: 2016-11-30
Posts: 53

Re: browser security DIY

@ fsmithred, I don't see yad (or gtk+) in devuan stable repos. Can you suggest a place to get deb files that will work for devuan stable? I ran into this before with refracta snapshot gui.

Last edited by catprints (2016-12-13 13:51:20)


"The obstacle is the path."

Offline

#5 2016-12-13 15:08:55

fsmithred
Administrator
Registered: 2016-11-25
Posts: 377

Re: browser security DIY

Sorry about that. I keep forgetting that yad is not in jessie.

This version works with jessie. (0.27.0-1)
http://debs.slavino.sk/pool/main/y/yad/ … _amd64.deb
http://debs.slavino.sk/pool/main/y/yad/ … 1_i386.deb

And in case those go away, I've got them here:
http://distro.ibiblio.org/refracta/file … _packages/

Last edited by fsmithred (2016-12-13 15:12:04)

Offline

#6 2016-12-13 15:47:31

catprints
Member
Registered: 2016-11-30
Posts: 53

Re: browser security DIY

Thank you for the quick response.

Nice.  I used pluma (mate) as "other editor" and it appears all is good. The menu is nice especially for the less used apps I don't wish to have as panel icons but are readily available in FireMenu. Thanks.

Last edited by catprints (2016-12-13 16:47:56)


"The obstacle is the path."

Offline

#7 2017-04-23 18:55:43

rufwoof
Member
Registered: 2017-04-23
Posts: 9

Re: browser security DIY

It doesn't really help for the likes of Mozilla (Firefox) to publish details of vulnerabilities

Description

Mozilla developers and community members Christian Holler, Jon Coppeard, Marcia Knous, David Baron, Mats Palmgren, Ronald Crane, Bob Clary, and Chris Peterson reported memory safety bugs present in Firefox 52, Firefox ESR 45.8, and Firefox ESR 52. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

... along with pointers to near enough exactly where any hacker might focus their attention to figure out potential means to break into any systems that are detected as using older versions (user hasn't upgraded their browser).

My stance is to not run browser, kodi, skype ...etc as either root or as a userid that can sudo or su. Along with setting permissions on files/folders (chmod, chown, chgrp) so that the restricted account/userid is limited to where it can see if a hacker manages to break-out of a browser/skype/whatever.

My sda3 is a NTFS format partition and to enable that to have permissions set I include a appropriate entry in /etc/fstab (see clickable thumbnail image).

sec.png

My sda2 is a ext format partition, so that already has permissions setting capabilities.

For day to day usage I simply Ctrl-Alt-Fn between the likes of userid devuan desktop that is pretty much unrestricted (can su, sudo ...etc), where I store personal files/folders that I'd rather a hacker couldn't see, and the restricted userid (that I call ff and have it assigned to a group of ff i.e. mostly files/folders are owned by either root or devuan, and have a group allocation of either root or devuan ... so chmod o-wrx <folder/file> prevents anyone other than root or devuan from accessing/entering the file/folder(s).

I spend most of my time using that ff userid accounts desktop (browsing whilst listening to the radio or using skype ...etc.), and even do documentation/office work using that ... but later move the files using devuan userid (that can see ff's files) to another folder owned by devuan userid out of harms way.

My devuan and ff users desktops are pretty much the same except the wallpaper (as a visual indicator) and I don't include quick launch icons/panel launchers for network type programs such as browser/skype ...etc on the devuan userid's desktop (bit of a visual reminder to switch to ff's desktop to launch such programs).

The best train of thought IMO is have a browse around your personal data/docs and see what you can see with the userid that you use to run your web browser ... and if you're not happy about what you can see then you need to make some changes. I don't know if my choice of closing the door is the best or in truth much about the alternatives either, it works for me (within my limited skills/capabilities) and provides a element of mental comfort. I appreciate however that nothing is truly safe. Systems files/configurations are replaceable ... personal data/files (wedding photos whatever) aren't. A good backup plan storing irreplaceable/invaluable personal files/photos offsite and multiple copies as-ever is the best approach.

Last edited by rufwoof (2017-04-23 19:07:58)

Offline

Board footer