You are not logged in.
- Topics: Active | Unanswered
#1 Freedom Hacks » Firefox: Dialectics of Antagonistic Security Bugs » 2026-05-30 18:19:11
- igorzwx
- Replies: 0
Firefox: Dialectics of Antagonistic Security Bugs
Firefox with unlocked preferences is an attractive target for attacks. Unprotected security preferences can be exploited as backdoors. To lock down these backdoors, you must fix antagonistic bugs with dialectical patches.
Don't panic! Debian's Firefox ESR leverages a system-wide preference lockdown that allows administrators to enforce security policies. Ordinary users, of course, may dwell in ignorance and fear. Devuan Wiki might be difficult to consume for TikTok users.
NOTE: This guide is a work in progress. Please do not post in this topic. Since the community has complained about "spoon-feeding", this guide is intended for experienced Linux users. If you have any questions, please consult the Devuan Wiki, or other knowledge repositories of the sort. If you have problems with dialectical patches, study Hegel or Monty Python.
Firefox Developer Edition
The browser made for developers
All the latest developer tools in beta in addition to features like the Multi-line Console Editor and WebSocket Inspector.
A separate profile and path so you can easily run it alongside Release or Beta Firefox.
Preferences tailored for web developers: Browser and remote debugging are enabled by default, as are the dark theme and developer toolbar button.
_https://www.firefox.com/en-US/channel/desktop/developer
It means:
about:config
devtools.chrome.enabled = true
devtools.theme = dark
browser.toolbars.bookmarks.visibility = always Why not close backdoors with a key?
// Disable remote debugging
pref("devtools.debugger.remote-enabled", false, locked);
// Restrict connections to localhost only (default: true)
pref("devtools.debugger.force-local", true, locked);
// Disable browser chrome debugging (debugging Firefox itself).
pref("devtools.chrome.enabled", false, locked);
// Block access to all developer tools functionality
pref("devtools.policy.disabled", true, locked); Security Implications of Unlocked Preferences:
1. Malicious extensions could modify security-critical preferences (like cookie behavior, remote debugging, or TLS settings)
2. Compromised user accounts could weaken protections through about:config
4. Malware could disable security features to facilitate further attacks
5. Social engineering could trick users into changing critical settings
Official Documentation: Building Firefox On Linux
_https://firefox-source-docs.mozilla.org/setup/linux_build.html
_https://firefox-source-docs.mozilla.org/build/buildsystem/mozconfigs.html
PATCHES:
$ cat PATCHES/0001-Set-MOZ_APP_UA_NAME-to-Firefox-for-clean-UA-strings.patch
From 8bd5afd0265356ddc323cffd8397208b5750227a Mon Sep 17 00:00:00 2001
From: Devuan <devuan@devuan.cargo-cult.org>
Date: Fri, 15 May 2026 23:40:28 +0200
Subject: [PATCH 1/3] Set MOZ_APP_UA_NAME to Firefox for clean UA strings
---
browser/moz.configure | 1 +
1 file changed, 1 insertion(+)
diff --git a/browser/moz.configure b/browser/moz.configure
index 3ea3d88b9360..0a95edc31354 100644
--- a/browser/moz.configure
+++ b/browser/moz.configure
@@ -16,6 +16,7 @@ imply_option("MOZ_APP_ID", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}")
# Include the DevTools client, not just the server (which is the default)
imply_option("MOZ_DEVTOOLS", "all")
imply_option("BROWSER_CHROME_URL", "chrome://browser/content/browser.xhtml")
+imply_option("MOZ_APP_UA_NAME", "Firefox")
with only_when(target_has_linux_kernel & compile_environment):
--
2.39.5$ cat PATCHES/0002-Set-MOZ_APP_PROFILE-to-Firefox-for-clean-APP_PROFILE.patch
From 252efd229f1d9dac21e053d05a5ef9ced1ca14f3 Mon Sep 17 00:00:00 2001
From: Devuan <devuan@devuan.cargo-cult.org>
Date: Sat, 16 May 2026 18:02:08 +0200
Subject: [PATCH 2/3] Set MOZ_APP_PROFILE to Firefox for clean APP_PROFILE
strings
---
browser/moz.configure | 1 +
1 file changed, 1 insertion(+)
diff --git a/browser/moz.configure b/browser/moz.configure
index 0a95edc31354..a4a4945ddbdd 100644
--- a/browser/moz.configure
+++ b/browser/moz.configure
@@ -17,6 +17,7 @@ imply_option("MOZ_APP_ID", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}")
imply_option("MOZ_DEVTOOLS", "all")
imply_option("BROWSER_CHROME_URL", "chrome://browser/content/browser.xhtml")
imply_option("MOZ_APP_UA_NAME", "Firefox")
+imply_option("MOZ_APP_PROFILE", "firefox-dev")
with only_when(target_has_linux_kernel & compile_environment):
--
2.39.5$ cat PATCHES/0003-Fix-system-preferences-for-custom-firefox-dev-builds.patch
From 9f4226e27c3b85506873bea8e30645fb066709ae Mon Sep 17 00:00:00 2001
From: Devuan <devuan@devuan.cargo-cult.org>
Date: Thu, 28 May 2026 23:41:26 +0200
Subject: [PATCH 3/3] Fix system preferences for custom firefox-dev builds
(security-critical)
This fixes two upstream bugs that prevent the system preferences security
feature from working, which is designed to lock down potential backdoors
by allowing administrators to enforce system-wide preference settings.
Bug 1: Configure option contradiction in toolkit/moz.configure
- Original code defines --disable-system-preferences but requires
--enable-system-preferences in the when condition, creating a
semantic contradiction that prevents the feature from being enabled
- Fixed with inline lambda pattern: when=depends("--disable-system-preferences")(lambda x: not x)
Bug 2: Dynamic app name resolution in xpcom/io/SpecialSystemDirectory.cpp
- Runtime code dynamically constructs /etc/{appname}/defaults/pref/ path
- This breaks system-wide configuration for custom builds with non-standard
app names like firefox-dev
- Fixed by hardcoding "firefox-dev" to match the existing directory structure
REQUIREMENT: Users must add this line to their .mozconfig:
ac_add_options --disable-system-preferences
This is a dialectical workaround: the --disable option actually enables
the feature due to the inverted lambda logic. Without this in .mozconfig,
the configure system will not set MOZ_SYSTEM_PREFERENCES.
Security Impact: System preferences load LAST, overriding application defaults.
This allows administrators to lock down preferences that could be exploited
as backdoors (telemetry, proxy settings, extensions, etc.). The upstream bugs
prevent this security mechanism from functioning.
---
toolkit/moz.configure | 4 ++--
xpcom/io/SpecialSystemDirectory.cpp | 31 ++++++++++++++++-------------
2 files changed, 19 insertions(+), 16 deletions(-)
diff --git a/toolkit/moz.configure b/toolkit/moz.configure
index 2412f33b4ef5..cd230f461282 100644
--- a/toolkit/moz.configure
+++ b/toolkit/moz.configure
@@ -4232,8 +4232,8 @@ option(
help="Disable reading preferences from /etc/firefox",
)
-set_config("MOZ_SYSTEM_PREFERENCES", True, when="--enable-system-preferences")
-set_define("MOZ_SYSTEM_PREFERENCES", True, when="--enable-system-preferences")
+set_config("MOZ_SYSTEM_PREFERENCES", True, when=depends("--disable-system-preferences")(lambda x: not x))
+set_define("MOZ_SYSTEM_PREFERENCES", True, when=depends("--disable-system-preferences")(lambda x: not x))
# Allow disabling the creation a legacy profile
# ==============================================================
diff --git a/xpcom/io/SpecialSystemDirectory.cpp b/xpcom/io/SpecialSystemDirectory.cpp
index 5e80ca881c27..3d1cdf7b3fc1 100644
--- a/xpcom/io/SpecialSystemDirectory.cpp
+++ b/xpcom/io/SpecialSystemDirectory.cpp
@@ -155,20 +155,22 @@ static nsresult GetUnixHomeDir(nsIFile** aFile) {
# endif
}
-static nsresult GetUnixSystemConfigDir(nsIFile** aFile) {
-# if defined(ANDROID)
- return NS_ERROR_FAILURE;
-# else
- nsAutoCString appName;
- if (nsCOMPtr<nsIXULAppInfo> appInfo =
- do_GetService("@mozilla.org/xre/app-info;1")) {
- MOZ_TRY(appInfo->GetName(appName));
- } else {
- appName.AssignLiteral(MOZ_APP_BASENAME);
- }
-
- ToLowerCase(appName);
-
+static nsresult GetUnixSystemConfigDir(nsIFile** aFile) {
+# if defined(ANDROID)
+ return NS_ERROR_FAILURE;
+# else
+ // DIALECTICAL FIX: Hardcode firefox-dev for custom build
+ nsAutoCString appName("firefox-dev");
+
+ // Original dynamic code (commented out):
+ // if (nsCOMPtr<nsIXULAppInfo> appInfo =
+ // do_GetService("@mozilla.org/xre/app-info;1")) {
+ // MOZ_TRY(appInfo->GetName(appName));
+ // } else {
+ // appName.AssignLiteral(MOZ_APP_BASENAME);
+ // }
+ // ToLowerCase(appName);
+
nsDependentCString sysConfigDir;
if (PR_GetEnv("XPCSHELL_TEST_PROFILE_DIR")) {
const char* mozSystemConfigDir = PR_GetEnv("MOZ_SYSTEM_CONFIG_DIR");
@@ -181,6 +183,7 @@ static nsresult GetUnixSystemConfigDir(nsIFile** aFile) {
sysConfigDir.Assign(nsLiteralCString("/app/etc"));
}
# endif
+
if (sysConfigDir.IsEmpty()) {
sysConfigDir.Assign(nsLiteralCString("/etc"));
}
--
2.39.5# Project tree:
# BUILD/
# ├── build_dir_ALSA-dev/ # created with ./mach build
# ├── debdir_ALSA-dev/ # created with ./mach install
# ├── DEB_templates/ #
# │ └── make_deb.sh # Bash script for Firefox packaging
# ├── firefox/ # Firefox source code
# └── PATCHES
# ├── 0001-Set-MOZ_APP_UA_NAME-to-Firefox-for-clean-UA-strings.patch
# ├── 0002-Set-MOZ_APP_PROFILE-to-Firefox-for-clean-APP_PROFILE.patch
# └── 0003-Fix-system-preferences-for-custom-firefox-dev-builds.patch Create firefox/.mozconfig with a text editor
nano firefox/.mozconfig $ cat firefox/.mozconfig
# The default mozconfig is located here: sourcedir/browser/config/mozconfig
. $topsrcdir/browser/config/mozconfig
mk_add_options MOZ_MAKE_FLAGS="-j$(expr $(nproc) + 2)"
mk_add_options MOZ_OBJDIR="$(dirname $topsrcdir)"/build_dir_ALSA-dev
mk_add_options MOZ_APP_DISPLAYNAME="Firefox Developer Edition"
mk_add_options MOZ_SIMPLE_PACKAGE_NAME=firefox-dev
ac_add_options --with-app-basename="Firefox Developer Edition"
ac_add_options --with-app-name=firefox-dev
ac_add_options --prefix=/usr
ac_add_options --without-sysroot
ac_add_options --enable-audio-backends=alsa
mk_add_options MOZ_DEV_EDITION=1
mk_add_options MOZ_APP_REMOTINGNAME=firefox-dev
ac_add_options --with-branding=browser/branding/aurora # Firefox Developer Edition
ac_add_options --enable-update-channel=aurora
ac_add_options --disable-crashreporter # Optional
ac_add_options --disable-system-preferences # dialectical workaround to enable system preferences
export LDFLAGS="-Wl,--no-keep-memory" Update the sorce code:
cd firefox && git pull Apply pathes:
$ ls -1 ../PATCHES
0001-Set-MOZ_APP_UA_NAME-to-Firefox-for-clean-UA-strings.patch
0002-Set-MOZ_APP_PROFILE-to-Firefox-for-clean-APP_PROFILE.patch
0003-Fix-system-preferences-for-custom-firefox-dev-builds.patch patch -Np1 -i ../PATCHES/0001*
patch -Np1 -i ../PATCHES/0002*
patch -Np1 -i ../PATCHES/0003* Build firefox-dev
./mach clobber
./mach configure$ grep "MOZ_SYSTEM_PREFERENCES" ../build_dir_ALSA-dev/config.status.json
"MOZ_SYSTEM_PREFERENCES": "1",
"MOZ_SYSTEM_PREFERENCES": "1", ./mach build -v --priority normal $ grep "MOZ_SYSTEM_PREFERENCES" ../build_dir_ALSA-dev/mozilla-config.h
#define MOZ_SYSTEM_PREFERENCES 1 Install to debdir
DESTDIR="$(dirname $(pwd))"/debdir_ALSA-dev ./mach install $ tree -L 3 ../debdir_ALSA-dev
../debdir_ALSA-dev
└── usr
├── bin
│ └── firefox-dev -> /usr/lib/firefox-dev/firefox-dev
└── lib
└── firefox-dev $ ../debdir_ALSA-dev/usr/lib/firefox-dev/firefox-dev
Mozilla Firefox Developer Edition 153.0a1 Packaging
sudo apt install fakerootmkdir "$(dirname $(pwd))"/DEB_templates && cd "$(dirname $(pwd))"/DEB_templates Create a script for Firefox packaging with a text editor
nano make_deb.shand make it executable.
$ cat make_deb.sh
#!/bin/bash
#
# Firefox Developer Edition Debian Package Builder
# ================================================
#
# This script creates a Debian package for Firefox Developer Edition
# with security-hardened configuration.
#
# NOTE: Alternatively, one may try the official Mozilla ./mach repackage deb tool,
# though it might be an exercise in masochism.
#
# Usage: ./make_deb.sh
# Location: Run from DEB_templates directory
#
# Project structure:
# BUILD/
# ├── build_dir_ALSA-dev/ # Compiled Firefox binaries created with ./mach build
# ├── debdir_ALSA-dev/ # Package staging directory created with ./mach install
# ├── DEB_templates/ # This directory
# │ └── make_deb.sh # This script
# └── firefox/ # Firefox source tree
#
# Output: firefox-dev-ed_<version>_<arch>.deb
#
# ==============================================================================
# Bash Strict Mode
set -euo pipefail
# -----------------------------------------------------------------------------
# Configuration
# -----------------------------------------------------------------------------
DEB_ROOT="$(dirname "$(pwd)")"/debdir_ALSA-dev
SHARE_DIR="$DEB_ROOT/usr/share"
ETC_DIR="$DEB_ROOT/etc"
LIB_DIR="$DEB_ROOT/usr/lib"
PACKAGE_NAME="firefox-dev"
DEB_PACKAGE_NAME="firefox-dev-ed"
VERSION="153.0a1-1"
ARCH="amd64"
echo "Creating Debian package for $PACKAGE_NAME $VERSION..."
# -----------------------------------------------------------------------------
# 1. Create directory structure (FHS compliant)
# -----------------------------------------------------------------------------
install -dm755 "$SHARE_DIR/$PACKAGE_NAME"/{browser/{chrome/icons/default,defaults/preferences},distribution/searchplugins/common}
install -dm755 "$SHARE_DIR/applications"
install -dm755 "$SHARE_DIR/icons/hicolor"/{16x16,32x32,48x48,64x64,128x128,symbolic}/apps
install -dm755 "$SHARE_DIR/doc/$PACKAGE_NAME"
install -dm755 "$SHARE_DIR/lintian/overrides"
install -dm755 "$SHARE_DIR/man/man1"
install -dm755 "$SHARE_DIR/mozilla/extensions"
install -dm755 "$ETC_DIR/$PACKAGE_NAME"/defaults/pref
install -dm755 "$DEB_ROOT/DEBIAN"
# -----------------------------------------------------------------------------
# 2. Create system-wide configuration files
# -----------------------------------------------------------------------------
# These files contain security-hardened Firefox preferences.
# They are placed in /etc/firefox-dev/ and symlinked to the defaults/pref directory.
# This allows system administrators to easily modify defaults.
# Primary configuration file with security preferences
install -m644 <(cat << 'EOF'
// Debian system-wide preferences for Firefox Developer Edition
// ============================================================
//
// This file contains security-hardened default settings for Firefox.
// System administrators can modify these values to change defaults.
//
// Syntax:
// pref("preference.name", value); // Default (user can override)
// pref("preference.name", value, locked); // Locked (user cannot override)
//
// String values must be enclosed in double quotes.
//
// Security Configuration:
// ------------------------
// Extension updates
pref("extensions.update.enabled", true);
// Browser behavior
pref("browser.shell.checkDefaultBrowser", false);
// Media settings (disable GMP OpenH264 for privacy)
pref("media.gmp-gmpopenh264.enabled", false);
// Enhanced privacy: disable enhanced new tab page
pref("browser.newtabpage.enhanced", false, locked);
// Telemetry and data reporting (DISABLED for privacy)
pref("datareporting.healthreport.uploadEnabled", false, locked);
// URL bar: disable search suggestions for privacy
pref("browser.urlbar.suggest.searches", false, locked);
// Telemetry (DISABLED for privacy)
pref("toolkit.telemetry.enabled", false, locked);
// Media configuration for better sound quality
pref("media.webm.enabled", false, locked);
pref("media.resampling.enabled", false, locked);
pref("media.cubeb_latency_playback_ms", 160, locked);
// Region and localization (force US/English to prevent fingerprinting)
pref("browser.region.network.url", "", locked);
pref("browser.region.update.enabled", false, locked);
pref("browser.region.network.scan", false, locked);
pref("privacy.spoof_english", 2, locked);
pref("intl.accept_languages", "en-US, en, en-GB", locked);
pref("browser.search.region", "US", locked);
pref("browser.search.geoip.url", "", locked);
pref("distribution.searchplugins.defaultLocale", "en-US", locked);
EOF
) "$ETC_DIR/$PACKAGE_NAME/defaults/pref/firefox-dev.cfg1.js"
# -----------------------------------------------------------------------------
# 4. Create desktop entry (freedesktop.org compliant)
# -----------------------------------------------------------------------------
install -m644 <(cat << 'EOF'
[Desktop Entry]
Name=Firefox Developer Edition
Comment=Web Browser
Exec=/usr/lib/firefox-dev/firefox-dev %u
Icon=firefox-dev
Terminal=false
Type=Application
Categories=Network;WebBrowser;
MimeType=text/html;text/xml;application/xhtml+xml;application/vnd.mozilla.xul+xml;text/mml;x-scheme-handler/http;x-scheme-handler/https;x-scheme-handler/ftp;
StartupNotify=true
EOF
) "$SHARE_DIR/applications/$PACKAGE_NAME.desktop"
# -----------------------------------------------------------------------------
# 5. Create copyright file (Debian Policy compliant)
# -----------------------------------------------------------------------------
install -m644 <(cat << 'EOF'
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: Firefox Developer Edition
Source: https://github.com/mozilla/firefox
License: MPL-2.0
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
EOF
) "$SHARE_DIR/doc/$PACKAGE_NAME/copyright"
# -----------------------------------------------------------------------------
# 6. Create lintian override (suppress expected warnings)
# -----------------------------------------------------------------------------
install -m644 <(echo "$PACKAGE_NAME: binary-without-manpage") \
"$SHARE_DIR/lintian/overrides/$PACKAGE_NAME"
# -----------------------------------------------------------------------------
# 7. Create man page
# -----------------------------------------------------------------------------
install -m644 <(cat << 'EOF'
.TH FIREFOX-DEV 1 "User Commands"
.SH NAME
firefox-dev \- Mozilla Firefox Developer Edition
.SH DESCRIPTION
Firefox Developer Edition with custom ALSA support.
This build uses ALSA directly for audio output instead of PulseAudio.
.SH FILES
.I /etc/firefox-dev/firefox-dev.cfg*.js
System-wide preference files.
.SH SEE ALSO
Firefox documentation: https://developer.mozilla.org/
EOF
) "$SHARE_DIR/man/man1/$PACKAGE_NAME.1"
gzip -9f "$SHARE_DIR/man/man1/$PACKAGE_NAME.1"
# -----------------------------------------------------------------------------
# 8. Copy icons from Firefox build directory
# -----------------------------------------------------------------------------
ICON_SOURCE_DIR="$LIB_DIR/$PACKAGE_NAME/browser/chrome/icons/default"
if [ -d "$ICON_SOURCE_DIR" ]; then
for size in 16 32 48 64 128; do
if [ -f "$ICON_SOURCE_DIR/default${size}.png" ]; then
install -m644 "$ICON_SOURCE_DIR/default${size}.png" \
"$SHARE_DIR/icons/hicolor/${size}x${size}/apps/$PACKAGE_NAME.png"
fi
done
fi
# -----------------------------------------------------------------------------
# 9. Calculate dependencies and Installed-Size
# -----------------------------------------------------------------------------
# This section uses dpkg-shlibdeps to automatically calculate library dependencies.
# A temporary debian directory is created for dependency calculation.
# Create control file template for dpkg-shlibdeps
mkdir -p debian
cat > debian/control << EOF
Source: ${DEB_PACKAGE_NAME}
Package: ${DEB_PACKAGE_NAME}
Depends: \${shlibs:Depends}
EOF
# Calculate dependencies using dpkg-shlibdeps
dpkg-shlibdeps -x"$PACKAGE_NAME" -l"$DEB_ROOT"/usr/lib \
--ignore-missing-info -e $(find "$DEB_ROOT" -type f 2>/dev/null) 2>/dev/null
# Extract dependencies or use fallback
if [ -f debian/substvars ] && grep -q "shlibs:Depends" debian/substvars; then
DEPS=$(grep "shlibs:Depends" debian/substvars | sed 's/shlibs:Depends=//')
else
DEPS="libc6"
fi
# Add changelog (required by dpkg-gencontrol)
cat > debian/changelog << EOF
${DEB_PACKAGE_NAME} (${VERSION}) unstable; urgency=medium
* Custom build with security enhancements and ALSA support
-- Devuan Packaging <devuan@devuan.org> $(date -R)
EOF
# Add misc dependencies (required by dpkg-gencontrol)
echo "misc:Depends=" >> debian/substvars
echo "misc:Pre-Depends=" >> debian/substvars
# Create control file template for dpkg-gencontrol
cat > debian/control << EOF
Source: ${DEB_PACKAGE_NAME}
Package: ${DEB_PACKAGE_NAME}
Architecture: ${ARCH}
EOF
# Run dpkg-gencontrol to calculate Installed-Size
dpkg-gencontrol -p${DEB_PACKAGE_NAME} \
-ldebian/changelog \
-Tdebian/substvars \
-P"$DEB_ROOT" \
2>/dev/null
# Extract Installed-Size
SIZE=$(sed -n 's/Installed-Size: //p' "$DEB_ROOT/DEBIAN/control")
# Clean up temporary directory
rm -rf debian
# -----------------------------------------------------------------------------
# 10. Create DEBIAN/control file with all fields in correct Debian order
# -----------------------------------------------------------------------------
cat > "$DEB_ROOT/DEBIAN/control" << EOF
Package: ${DEB_PACKAGE_NAME}
Version: ${VERSION}
Priority: optional
Section: web
Architecture: ${ARCH}
Maintainer: Devuan Packaging <devuan@devuan.org>
Installed-Size: ${SIZE}
Provides: gnome-www-browser, www-browser
Depends: ${DEPS}
Conflicts: firefox-dev
Recommends: libavcodec61 | libavcodec-extra61 | libavcodec60 | libavcodec-extra60 | libavcodec59 | libavcodec-extra59 | libavcodec58 | libavcodec-extra58 | libavcodec57 | libavcodec-extra57 | libavcodec56 | libavcodec-extra56 | libavcodec55 | libavcodec-extra55 | libavcodec54 | libavcodec-extra54 | libavcodec53 | libavcodec-extra53
Suggests: fonts-stix | otf-stix, fonts-lmodern, libgssapi-krb5-2 | libkrb53, libcanberra0
Description: Firefox Developer Edition (ALSA build)
Firefox Developer Edition is a high-performance browser for web developers,
featuring Multi-line Console Editor and WebSocket Inspector. It runs
side-by-side with Release, Beta, or Nightly builds using a separate Profile
Directory and installation path.
.
This custom build includes:
* Security-hardened default preferences
* ALSA audio support (no PulseAudio dependency)
* Pre-configured developer defaults: remote debugging enabled, dark theme,
and developer toolbar
EOF
# -----------------------------------------------------------------------------
# 11. Generate md5sums for all installed files
# -----------------------------------------------------------------------------
cd "$DEB_ROOT"
install -m644 <(find . -type f -not -path './DEBIAN/*' -printf '%P\0' | \
xargs -0 md5sum | sort -k 2) DEBIAN/md5sums
# Display package structure
echo "Package structure:"
tree -L 3 .
# Return to script directory
cd "$(dirname "$(pwd)")"/DEB_templates
# -----------------------------------------------------------------------------
# 12. Build the package using dpkg-deb
# -----------------------------------------------------------------------------
echo "Building Debian package..."
fakeroot -- dpkg-deb -b "$DEB_ROOT" "${DEB_PACKAGE_NAME}_${VERSION}_${ARCH}.deb"
echo "Package built successfully: ${DEB_PACKAGE_NAME}_${VERSION}_${ARCH}.deb"Run make_deb.sh to build Debian package
$ ./make_deb.sh
Creating Debian package for firefox-dev 153.0a1-1...
Package structure:
.
├── DEBIAN
│ ├── control
│ └── md5sums
├── etc
│ └── firefox-dev
│ └── defaults
└── usr
├── bin
│ └── firefox-dev -> /usr/lib/firefox-dev/firefox-dev
├── lib
│ └── firefox-dev
└── share
├── applications
├── doc
├── firefox-dev
├── icons
├── lintian
├── man
└── mozilla
17 directories, 3 files
Building Debian package...
dpkg-deb: building package 'firefox-dev-ed' in 'firefox-dev-ed_153.0a1-1_amd64.deb'.
Package built successfully: firefox-dev-ed_153.0a1-1_amd64.deb $ ls -1 *deb
firefox-dev-ed_153.0a1-1_amd64.debInstall
sudo dpkg -i firefox-dev-ed_153.0a1-1_amd64.deb $ firefox-dev --version
Mozilla Firefox Developer Edition 153.0a1 Hacking dependencies
The DEBIAN/control file is not included in DEBIAN/md5sums.
You can edit it freely without regenerating checksums.
To rebuild the package, run:
fakeroot -- dpkg-deb -b ../debdir_ALSA-dev firefox-dev-ed_153.0a1-1_amd64.debRepackaging
fakeroot -u -- dpkg-repack firefox-dev-ed
fakeroot -u dpkg-repack --generate <package-name> Example of Firefox hardened configuration:
$ cat /etc/firefox-dev/defaults/pref/firefox-dev.cfg5.js
// ============================================================================
// Firefox Security-Hardened Configuration
// ============================================================================
// This file locks all security-critical preferences to prevent
// modification by users, extensions, or malicious code.
// Place in /etc/firefox-dev/defaults/pref/
// ============================================================================
// -----------------------------------------------------------------------------
// Sandbox
// -----------------------------------------------------------------------------
// Linux Content Process Sandbox
// Level 6 = default-deny for ioctl (most restrictive)
pref("security.sandbox.content.level", 6, locked);
// Whitelist paths (empty string = no whitelist)
pref("security.sandbox.content.write_path_whitelist", "", locked);
pref("security.sandbox.content.read_path_whitelist", "", locked);
pref("security.sandbox.content.syscall_whitelist", "", locked);
// Socket Process Sandbox
// Level 2 = default-deny for ioctl
pref("security.sandbox.socket.process.level", 2, locked);
// Sandbox Logging (disable for security)
pref("security.sandbox.logging.enabled", false, locked);
// -----------------------------------------------------------------------------
// Remote Debugging and Developer Tools
// -----------------------------------------------------------------------------
// Disable remote debugging
pref("devtools.debugger.remote-enabled", false, locked);
// Port number for the debugging server (default: 6000)
pref("devtools.debugger.remote-port", 6000, locked);
// Restrict connections to localhost only (default: true)
pref("devtools.debugger.force-local", true, locked);
// Disable browser chrome debugging (debugging Firefox itself). Debian's default: false
pref("devtools.chrome.enabled", false, locked);
// Block access to all developer tools functionality
pref("devtools.policy.disabled", true, locked);
// -----------------------------------------------------------------------------
// Cookie and Privacy Settings
// -----------------------------------------------------------------------------
// Strongest cookie privacy setting (reject trackers, partition third-party cookies)
pref("network.cookie.cookieBehavior", 5, locked);
pref("network.cookie.cookieBehavior.pbmode", 5, locked);
// Block-by-default with opt-in partitioning (more restrictive than dFPI)
pref("network.cookie.cookieBehavior.optInPartitioning", true, locked);
pref("network.cookie.cookieBehavior.optInPartitioning.pbmode", true, locked);
// Block third-party cookies from tracking protection list
pref("network.cookie.cookieBehavior.trackerCookieBlocking", true, locked);
// Prevent sync from propagating weaker settings
pref("services.sync.prefs.sync.network.cookie.cookieBehavior", false, locked);
// Global Privacy Control
pref("privacy.globalprivacycontrol.enabled", true, locked);
pref("privacy.globalprivacycontrol.functionality.enabled", true, locked);
pref("privacy.globalprivacycontrol.pbmode.enabled", true, locked);
// Disable First Party Isolation (incompatible with behavior 5)
pref("privacy.firstparty.isolate", false, locked);
pref("privacy.firstparty.isolate.block_post_message", false, locked);
pref("privacy.firstparty.isolate.restrict_opener_access", true, locked);
pref("privacy.firstparty.isolate.use_site", false, locked);
// -----------------------------------------------------------------------------
// TLS/SSL Configuration
// -----------------------------------------------------------------------------
// Minimum TLS version (1=tls1, 2=tls1.1, 3=tls1.2, 4=tls1.3)
pref("security.tls.version.min", 3, locked);
// Maximum TLS version
pref("security.tls.version.max", 4, locked);
// Disable deprecated TLS versions
pref("security.tls.version.enable-deprecated", false, locked);
// TLS Security Features
pref("security.ssl.require_safe_negotiation", true, locked);
pref("security.tls.hello_downgrade_check", true, locked);
pref("security.ssl.enable_ocsp_stapling", true, locked);
pref("security.OCSP.require", true, locked);
pref("security.OCSP.enabled", 1, locked);
// TLS 1.3 Features
pref("security.tls.enable_0rtt_data", false, locked);
pref("security.tls.enable_post_handshake_auth", true, locked);
pref("security.tls.enable_delegated_credentials", true, locked);
// Encrypted Client Hello (ECH)
pref("network.dns.echconfig.enabled", true, locked);
pref("network.dns.http3_echconfig.enabled", true, locked);
// Disable weak cipher suites
pref("security.ssl3.rsa_aes_128_sha", false, locked);
pref("security.ssl3.rsa_aes_256_sha", false, locked);
pref("security.ssl3.rsa_aes_128_gcm_sha256", false, locked);
pref("security.ssl3.rsa_aes_256_gcm_sha384", false, locked);
pref("security.ssl3.deprecated.rsa_des_ede3_sha", false, locked);
// -----------------------------------------------------------------------------
// Content Security
// -----------------------------------------------------------------------------
pref("security.block_fileuri_script_with_wrong_mime", true, locked);
pref("security.mixed_content.block_active_content", true, locked);
pref("security.mixed_content.block_display_content", true, locked);
pref("security.mixed_content.upgrade_display_content", true, locked);
pref("security.insecure_connection_text.enabled", true, locked);
pref("security.insecure_connection_text.pbmode.enabled", true, locked);
pref("security.warn_submit_secure_to_insecure", true, locked);
// HTTPS-Only Mode
//pref("dom.security.https_only_mode", true, locked);
//pref("dom.security.https_only_mode_pbm", true, locked);
//pref("dom.security.https_first", true, locked);
//pref("dom.security.https_first_pbm", true, locked);
// HTTPS-First (less aggressive than HTTPS-Only)
pref("dom.security.https_first", true, locked);
pref("dom.security.https_first_pbm", true, locked);
// -----------------------------------------------------------------------------
// Certificate and PKI Settings
// -----------------------------------------------------------------------------
pref("security.default_personal_cert", "Ask Every Time", locked);
pref("security.pki.certificate_transparency.mode", 1, locked);
pref("security.ssl.errorReporting.enabled", true, locked);
pref("security.enterprise_roots.enabled", true, locked);
// -----------------------------------------------------------------------------
// Safe Browsing
// -----------------------------------------------------------------------------
pref("browser.safebrowsing.malware.enabled", true, locked);
pref("browser.safebrowsing.phishing.enabled", true, locked);
pref("browser.safebrowsing.downloads.enabled", true, locked);
pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", true, locked);
pref("browser.safebrowsing.downloads.remote.block_uncommon", true, locked);
// -----------------------------------------------------------------------------
// WebAuthn
// -----------------------------------------------------------------------------
pref("security.webauthn.always_allow_direct_attestation", false, locked);
// -----------------------------------------------------------------------------
// CSP Reporting
// -----------------------------------------------------------------------------
pref("security.csp.reporting.enabled", true, locked);
// -----------------------------------------------------------------------------
// Extension Security
// -----------------------------------------------------------------------------
//pref("xpinstall.whitelist.required", true, locked);
//pref("xpinstall.enabled", false, locked);
//pref("extensions.update.enabled", false, locked);
// -----------------------------------------------------------------------------
// Telemetry and Data Collection
// -----------------------------------------------------------------------------
pref("datareporting.healthreport.uploadEnabled", false, locked);
pref("toolkit.telemetry.enabled", false, locked);
pref("browser.newtabpage.activity-stream.feeds.telemetry", false, locked);
pref("browser.newtabpage.activity-stream.telemetry", false, locked);
// -----------------------------------------------------------------------------
// Network Security
// -----------------------------------------------------------------------------
pref("network.http.sendRefererHeader", 2, locked);
pref("privacy.resistFingerprinting", true, locked);
pref("privacy.trackingprotection.enabled", true, locked);
pref("privacy.trackingprotection.pbmode.enabled", true, locked);
// -----------------------------------------------------------------------------
// DNS over HTTPS
// -----------------------------------------------------------------------------
// pref("network.trr.mode", 3, locked);
// DoH with fallback (mode 2 instead of 3)
pref("network.trr.mode", 2, locked);
// -----------------------------------------------------------------------------
// Local Network Access
// -----------------------------------------------------------------------------
pref("network.lna.blocking", true, locked);
// -----------------------------------------------------------------------------
// Post-Quantum Cryptography
// -----------------------------------------------------------------------------
pref("security.tls.post_quantum_key_agreement.enabled", true, locked);#2 Re: Freedom Hacks » Chasing the Fox (Caccia alla volpe) » 2026-05-05 14:17:10
That would be a real service to the community
A real service to the community might be to avoid annoying others with your comments and advice. Please do not post in my topics.
_https://en.wikipedia.org/wiki/Sndio
sndio is the software layer of the OpenBSD operating system that manages sound cards and MIDI ports. It provides an optional sound server and a documented application programming interface to access either the server or the audio and MIDI hardware in a uniform way.
_https://man.openbsd.org/sndiod.8
BUGS
Resampling is low quality; down-sampling especially should be avoided when recording.If -a off is used, sndiod creates sub-devices to expose first and then opens the audio hardware on demand. Technically, this allows sndiod to attempt to use one of the sub-devices it exposes as an audio device, creating a deadlock. There's nothing to prevent the user from shooting themselves in the foot by creating such a deadlock.
sndio might be perfectly suitable for semi-deaf and half-demented users.
If someone really needs sndio, he might consider forking it to integrate the fftrate resampler for higher-quality audio processing
_https://github.com/PetrovSE/fftrate
_https://man.openbsd.org/sndiod.8
BUGS
Resampling is low quality; down-sampling especially should be avoided when recording.
Perhaps sndio developers engage in post-modern humor. Linux users are unlikely to notice a Monty Python situation where a "bug" is documented rather than fixed.
If you don’t get this kind of humor, think of post-truth, post-philosophy, and post-documentation. It’s a post-real world where absurdity is plainly documented — in man pages, wikis, and official notes — without irony. The joke isn’t hidden; it’s right there, labeled "BUG". The word "bug" has become a post-word with a post-meaning: not a flaw to fix, but a punchline accepted as fact.
What is special about post-reality is that it can be consumed innocently — just like myth, it appears factual, not constructed.
The myth consumer takes the signification for a system of facts: myth is read as a factual system whereas it is but a semiological system.
Roland Barthes, Myth Today.
#3 Re: Freedom Hacks » Chasing the Fox (Caccia alla volpe) » 2026-05-05 12:37:54
To get sndio working with Firefox (Cubeb) you have to build it with sndio support
# Install sndio development libraries
sudo apt-get install libsndio-dev
# Add to your mozconfig
ac_add_options --enable-sndio
# Alternatively, you may try to disable ALSA
ac_add_options --enable-audio-backends=sndio
# Firefox about:config
media.cubeb.backend sndiosndio Backend cubeb_sndio.c:314-360
Dynamic library loading
Basic stream operations
48kHz preferred sample rate cubeb_sndio.c:535-536
2048 frame minimum latency cubeb_sndio.c:546-547#4 Re: Freedom Hacks » Chasing the Fox (Caccia alla volpe) » 2026-05-04 18:47:08
[Because of epidemic of deafness] Sonova is now exiting the consumer audio market to refocus on its core hearing care business (hearing aids and cochlear implants). The professional division remains with the Sennheiser family.
After the Fox - Gold Robbery of Cairo
_https://youtu.be/zgcGyt6qOLg
_https://en.wikipedia.org/wiki/After_the_Fox
#5 Re: Freedom Hacks » Chasing the Fox (Caccia alla volpe) » 2026-05-04 18:02:04
Do you want to amplify audio volume in Firefox? It will reduce sound quality. At high levels, it may damage hearing or speakers.
#6 Re: Freedom Hacks » Chasing the Fox (Caccia alla volpe) » 2026-05-04 15:56:48
Firefox:
Does not resample audio by default.
WebM can be easily disabled.
PulseAudio backend can be easily disabled.
Chrome (and all Chrome-based browsers):
Resampling cannot be disabled.
WebM cannot be disabled.
PulseAudio backend cannot be disabled.
This is because, perhaps, Chrome developers do not hear the difference.
#7 Re: Freedom Hacks » Chasing the Fox (Caccia alla volpe) » 2026-05-04 13:42:04
Firefox Developer Edition
The browser made for developers
All the latest developer tools in beta in addition to features like the Multi-line Console Editor and WebSocket Inspector.
A separate profile and path so you can easily run it alongside Release or Beta Firefox.
Preferences tailored for web developers: Browser and remote debugging are enabled by default, as are the dark theme and developer toolbar button.
_https://www.firefox.com/en-US/channel/desktop/developer
Building Firefox On Linux
_https://firefox-source-docs.mozilla.org/setup/linux_build.html
_https://firefox-source-docs.mozilla.org/build/buildsystem/mozconfigs.html
mozconfig for Firefox Developer Edition (ALSA only, without pulse-rust backend):
$ cat .mozconfig
# The default mozconfig is located here: sourcedir/browser/config/mozconfig
. $topsrcdir/browser/config/mozconfig
mk_add_options MOZ_MAKE_FLAGS="-j$(expr $(nproc) + 2)"
mk_add_options MOZ_OBJDIR="$(dirname $topsrcdir)"/build_dir_ALSA-dev
mk_add_options MOZ_APP_DISPLAYNAME="Firefox Developer Edition"
mk_add_options MOZ_SIMPLE_PACKAGE_NAME=firefox-dev
ac_add_options --with-app-basename="Firefox Developer Edition"
ac_add_options --with-app-name=firefox-dev
ac_add_options --prefix=/usr
ac_add_options --without-sysroot # classified
ac_add_options --enable-audio-backends=alsa
mk_add_options MOZ_DEV_EDITION=1
ac_add_options --with-branding=browser/branding/aurora # Firefox Developer Edition
export LDFLAGS="-Wl,--no-keep-memory"cd firefox
git pull
./mach clobber
./mach configure
./mach build -v --priority normal$ ./mach run --version
Mozilla Firefox Developer Edition 152.0a1 DESTDIR="$(dirname $(pwd))"/debdir_ALSA-dev ./mach install $ ls -1 ../debdir_ALSA-dev/usr
bin
lib
$ file ../debdir_ALSA-dev/usr/bin/firefox-dev
../debdir_ALSA-dev/usr/bin/firefox-dev: broken symbolic link to /usr/lib/firefox-dev/firefox-dev A bash script to create the /usr/share directory structure for Firefox Developer Edition
(modify it to suit your needs)
$ cat make_share.sh
#!/bin/bash
# Create Firefox Developer Edition /usr/share structure
SHARE_DIR="$(dirname $(pwd))"/debdir_ALSA-dev/usr/share
PACKAGE_NAME="firefox-dev"
APP_NAME="Firefox Developer Edition"
echo "Creating /usr/share structure for $APP_NAME..."
# Create main directories
mkdir -p "$SHARE_DIR/$PACKAGE_NAME"/{browser/{chrome/icons/default,defaults/preferences},distribution/searchplugins/common}
mkdir -p "$SHARE_DIR/applications"
mkdir -p "$SHARE_DIR/icons/hicolor"/{16x16,32x32,48x48,64x64,128x128,symbolic}/apps
mkdir -p "$SHARE_DIR/doc/$PACKAGE_NAME"
mkdir -p "$SHARE_DIR/man/man1"
mkdir -p "$SHARE_DIR/lintian/overrides"
mkdir -p "$SHARE_DIR/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}"
# Create desktop entry file
cat > "$SHARE_DIR/applications/$PACKAGE_NAME.desktop" << EOF
[Desktop Entry]
Version=1.0
Type=Application
Name=$APP_NAME
Comment=The browser made for developers
Exec=/usr/bin/$PACKAGE_NAME %U
Icon=$PACKAGE_NAME
Terminal=false
Categories=Network;WebBrowser;
StartupNotify=true
MimeType=text/html;text/xml;application/xhtml+xml;application/vnd.mozilla.xul+xml;text/mml;x-scheme-handler/http;x-scheme-handler/https;x-scheme-handler/ftp;
EOF
# Create copyright file
cat > "$SHARE_DIR/doc/$PACKAGE_NAME/copyright" << EOF
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: $PACKAGE_NAME
Source: https://hg.mozilla.org/mozilla-central/
Files: *
Copyright: 2024 Mozilla Foundation
License: MPL-2.0
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
License: MPL-2.0
EOF
# Create lintian overrides
cat > "$SHARE_DIR/lintian/overrides/$PACKAGE_NAME" << EOF
$PACKAGE_NAME: package-name-doesnt-match-sonames
$PACKAGE_NAME: binary-without-manpage
$PACKAGE_NAME: missing-dep-for-interpreter /usr/bin/perl (perl >= 5.6)
$PACKAGE_NAME: script-not-executable ./usr/share/$PACKAGE_NAME/defaults/preferences/syspref.js
EOF
# Create man page
cat > "$SHARE_DIR/man/man1/$PACKAGE_NAME.1" << EOF
.TH $PACKAGE_NAME 1 "2024" "Mozilla Foundation" "User Commands"
.SH NAME
$PACKAGE_NAME \- Mozilla Firefox Developer Edition web browser
.SH DESCRIPTION
Firefox Developer Edition is the blazing fast browser that offers cutting edge developer tools and latest features like CSS Grid support and framework debugging
.SH OPTIONS
.TP
\fB\--help\fR
Prints the command line options.
.TP
\fB\--version\fR
Prints the version information.
.SH FILES
.I /usr/lib/$PACKAGE_NAME/firefox-dev
\- The main executable
.SH SEE ALSO
.BR firefox(1)
EOF
gzip -9 "$SHARE_DIR/man/man1/$PACKAGE_NAME.1"
# Copy icons from build if available
BUILD_LIB_DIR="$(dirname $(pwd))"/debdir_ALSA-dev/usr/lib/firefox-dev
if [ -f "$BUILD_LIB_DIR/browser/chrome/icons/default/default16.png" ]; then
for size in 16 32 48 64 128; do
if [ -f "$BUILD_LIB_DIR/browser/chrome/icons/default/default${size}.png" ]; then
cp "$BUILD_LIB_DIR/browser/chrome/icons/default/default${size}.png" \
"$SHARE_DIR/icons/hicolor/${size}x${size}/apps/$PACKAGE_NAME.png"
fi
done
else
# Create placeholder icons
for size in 16 32 48 64 128; do
convert -size ${size}x${size} xc:transparent "$SHARE_DIR/icons/hicolor/${size}x${size}/apps/$PACKAGE_NAME.png" 2>/dev/null || \
touch "$SHARE_DIR/icons/hicolor/${size}x${size}/apps/$PACKAGE_NAME.png"
done
fi
# Set proper permissions
chmod 644 "$SHARE_DIR/applications/$PACKAGE_NAME.desktop"
chmod 644 "$SHARE_DIR/doc/$PACKAGE_NAME"/*
chmod 644 "$SHARE_DIR/lintian/overrides/$PACKAGE_NAME"
find "$SHARE_DIR" -type d -exec chmod 755 {} \;
echo "Created /usr/share structure in $SHARE_DIR"
echo "Directory tree:"
find "$SHARE_DIR" -type d | sort
echo "Files created:"
find "$SHARE_DIR" -type f | sort./make_share.sh$ ls -1 ../debdir_ALSA-dev/usr
bin
lib
shareHow to calculate dependencies
Make a template
mkdir debian
echo -e "Source: firefox-dev\nPackage: firefox-dev\nDepends: \${shlibs:Depends}" >> debian/control $ cat debian/control
Source: firefox-dev
Package: firefox-dev
Depends: ${shlibs:Depends}Run "dpkg-shlibdeps" to calculate dependencies
dpkg-shlibdeps -v -xfirefox-dev -l"$(dirname $(pwd))"/debdir_ALSA-dev/usr/lib --ignore-missing-info -e $(find "$(dirname $(pwd))"/debdir_ALSA-dev/usr -type f 2>/dev/null) $ cat debian/substvars
shlibs:Depends=libasound2 (>= 1.1.0), libatk1.0-0 (>= 1.12.4), libc6 (>= 2.36), libcairo-gobject2 (>= 1.10.0), libcairo2 (>= 1.10.0), libdbus-1-3 (>= 1.9.14), libfontconfig1 (>= 2.12.6), libfreetype6 (>= 2.11.1), libgcc-s1 (>= 4.2), libgdk-pixbuf-2.0-0 (>= 2.22.0), libglib2.0-0 (>= 2.37.3), libgtk-3-0 (>= 3.13.7), libharfbuzz0b (>= 0.6.0), libnspr4 (>= 2:4.12), libnss3 (>= 2:3.82), libpango-1.0-0 (>= 1.14.0), libpangocairo-1.0-0 (>= 1.14.0), libstdc++6 (>= 12), libx11-6, libx11-xcb1 (>= 2:1.8.4), libxcb-shm0, libxcb1, libxcomposite1 (>= 1:0.4.5), libxcursor1 (>> 1.1.2), libxdamage1 (>= 1:1.1), libxext6, libxfixes3, libxi6, libxrandr2 (>= 2:1.4.0), libxrender1, zlib1g (>= 1:1.1.4)install -vm0755 -d "$(dirname $(pwd))"/debdir_ALSA-dev/DEBIAN$ cat "$(dirname $(pwd))"/debdir_ALSA-dev/DEBIAN/control
Package: firefox-dev
Version: 152.0a1
Priority: optional
Section: web
Architecture: amd64
Maintainer: Devuan
Installed-Size: 433 MB
Provides: gnome-www-browser, www-browser
Depends: libc6
Recommends: libavcodec61 | libavcodec-extra61 | libavcodec60 | libavcodec-extra60 | libavcodec59 | libavcodec-extra59 | libavcodec58 | libavcodec-extra58 | libavcodec57 | libavcodec-extra57 | libavcodec56 | libavcodec-extra56 | libavcodec55 | libavcodec-extra55 | libavcodec54 | libavcodec-extra54 | libavcodec53 | libavcodec-extra53
Suggests: fonts-stix | otf-stix, fonts-lmodern, libgssapi-krb5-2 | libkrb53, libcanberra0
Description: Mozilla Firefox Developer Edition. ALSA only.
The browser made for developers
.
All the latest developer tools in beta in addition to features like the Multi-line Console Editor and WebSocket Inspector.
.
A separate profile and path so you can easily run it alongside Release or Beta Firefox.
.
Preferences tailored for web developers: Browser and remote debugging are enabled by default, as are the dark theme and developer toolbar button.
.
Mozilla Firefox Developer Edition. ALSA only, without pulse-rust backend.Generate DEBIAN/md5sums
cd "$(dirname $(pwd))"/debdir_ALSA-dev
find . -type f -not -path "./DEBIAN/*" -exec md5sum {} + | sort -k 2 | sed 's/\.\/\(.*\)/\1/' > DEBIAN/md5sums
cd ..
chmod 0644 -- debdir_ALSA-dev/DEBIAN/md5sums Make Debian package
$ fakeroot -- dpkg-deb -b debdir_ALSA-dev firefox-dev_152.0a1_amd64.deb
dpkg-deb: building package 'firefox-dev' in 'firefox-dev_152.0a1_amd64.deb'.
$ ls -1 *deb
firefox-dev_152.0a1_amd64.debInstall
sudo dpkg -i firefox-dev_152.0a1_amd64.deb$ firefox-dev --version
Mozilla Firefox Developer Edition 152.0a1Firefox 152.0a1 is not on YouTube’s allowlist. To enable YouTube live chat, use a User Agent override to spoof Firefox 150.0. This prevents YouTube from incorrectly flagging your browser as an 'older version' and blocking the chat feature.
about:config
general.useragent.override Mozilla/5.0 (X11; Linux x86_64; rv:150.0) Gecko/20100101 Firefox/150.0
privacy.resistFingerprinting false # defaultNOTE: This guide is for experienced Linux users. If you have need help, please start a new topic on "Desktop and Multimedia".
#8 Re: Freedom Hacks » Chasing the Fox (Caccia alla volpe) » 2026-04-30 21:05:13
To summare "secret knowledge":
Configuration Editor for Firefox
_https://support.mozilla.org/en-US/kb/about-config-editor-firefox
Firefox settings for better sound quality
about:config
media.resampling.enabled false media.webm.enabled false media.mediasource.webm.enabled false # it might be deprecated media.cubeb.backend alsa # if ALSA backend is available media.cubeb_latency_playback_ms 160NOTE: Firefox's default value (for all platforms):
media.cubeb_latency_playback_ms 100This is because Firefox is optimized for macOS, not for Linux with ALSA.
media.encoder.webm.enabled false # Disable WebM recording media.mediasource.vp9.enabled false # Disable WebM in MSEMedia Source Extensions (MSE)
_https://en.wikipedia.org/wiki/Media_Source_Extensions
Verification:
1. about:support - search for "Audio Backend"
2. MOZ_LOG="MediaDecoder:4,cubeb:5"
On both Linux and macOS, you need Firefox logs to detect unwanted resampling, or to verify that Firefox does not resample.
Linux logs:
MOZ_LOG="MediaDecoder:4,cubeb:5" stdbuf -oL firefox 2>&1 https://www.youtube.com/watch?v=X0lwWwJJfXk | grep --line-buffered -E "MetadataLoaded.*rate=|FirstFrameLoaded.*rate=|CubebStreamInit output stream rate|target rate|Output hardware|Input|Output|Rates" | grep -vE "hasVideo=0|hasAudio=0" $ MOZ_LOG="MediaDecoder:4,cubeb:5" stdbuf -oL firefox 2>&1 https://www.youtube.com/watch?v=X0lwWwJJfXk | grep --line-buffered -E "MetadataLoaded.*rate=|FirstFrameLoaded.*rate=|CubebStreamInit output stream rate|target rate|Output hardware|Input|Output|Rates" | grep -vE "hasVideo=0|hasAudio=0"
[Child 25647: Main Thread]: D/MediaDecoder MediaDecoder[7f2a416c2e00] MetadataLoaded, channels=2 rate=44100 hasAudio=1 hasVideo=1
[Child 25647: Main Thread]: D/MediaDecoder MediaDecoder[7f2a416c2e00] FirstFrameLoaded, channels=2 rate=44100 hasAudio=1 hasVideo=1 mPlayState=PLAY_STATE_LOADING transportSeekable=1
[Child 25647: Main Thread]: D/MediaDecoder MediaDecoder[7f2a2c7d7d00] MetadataLoaded, channels=2 rate=44100 hasAudio=1 hasVideo=1
[Child 25647: Main Thread]: D/MediaDecoder MediaDecoder[7f2a2c7d7d00] FirstFrameLoaded, channels=2 rate=44100 hasAudio=1 hasVideo=1 mPlayState=PLAY_STATE_LOADING transportSeekable=1
[Child 25647: MediaDecoderStateMachine #1]: I/cubeb CubebStreamInit output stream rate 44100
[fftrate ALSA plugin log: 44100 --> 48000 Hz]
Input: 44100 Hz, 2 ch, 's32_le' (0xa): dummy = 0, period = 1764
Output: 48000 Hz, 2 ch, 's16_le' (0x2): dummy = 0, period = 1920
Rates: 44100 --> 48000 (J: 0.00%, T: FFT, W: Vorbis) macOS Firefox logs:
about:support
Name Firefox
Version 151.0b3
Audio Backend audiounit-rust
Max Channels 2
Preferred Sample Rate 44100
about:config
media.resampling.enabled false
media.webm.enabled false # Disable WebM playback [grep = GNU grep]
MOZ_LOG="MediaDecoder:4,cubeb:5" stdbuf -oL /Applications/Firefox\ Developer\ Edition.app/Contents/MacOS/firefox 2>&1 https://youtu.be/qeUcGD4rRRc | ggrep --line-buffered -E "MetadataLoaded.*rate=|FirstFrameLoaded.*rate=|CubebStreamInit output stream rate|target rate|Output hardware" | ggrep -vE "hasVideo=0|hasAudio=0"➤ MOZ_LOG="MediaDecoder:4,cubeb:5" stdbuf -oL /Applications/Firefox\ Developer\ Edition.app/Contents/MacOS/firefox 2>&1 https://youtu.be/qeUcGD4rRRc | ggrep --line-buffered -E "MetadataLoaded.*rate=|FirstFrameLoaded.*rate=|CubebStreamInit output stream rate|target rate|Output hardware" | ggrep -vE "hasVideo=0|hasAudio=0"
[Child 2125: Main Thread]: D/MediaDecoder MediaDecoder[133ffa100] MetadataLoaded, channels=2 rate=44100 hasAudio=1 hasVideo=1
[Child 2125: Main Thread]: D/MediaDecoder MediaDecoder[133ffa100] FirstFrameLoaded, channels=2 rate=44100 hasAudio=1 hasVideo=1 mPlayState=PLAY_STATE_LOADING transportSeekable=1
[Child 2125: MediaDecoderStateMachine #1]: I/cubeb CubebStreamInit output stream rate 44100
[Parent 2109: AudioIPC Server RPC]: E/cubeb mod.rs:4077: (0x14d932800) Output hardware description: AudioStreamBasicDescription { mSampleRate: 44100.0, mFormatID: 1819304813, mFormatFlags: 9, mBytesPerPacket: 8, mFramesPerPacket: 1, mBytesPerFrame: 8, mChannelsPerFrame: 2, mBitsPerChannel: 32, mReserved: 0 }
[Parent 2109: AudioIPC Server RPC]: E/cubeb cubeb_resampler_internal.h:555:Input and output sample-rate match, target rate of 44100HzExplanation:
Input Source Media Rate: 44100 Hz (from YouTube AAC metadata)
[Child 2125: Main Thread]: D/MediaDecoder MediaDecoder[133ffa100] MetadataLoaded, channels=2 rate=44100 hasAudio=1 hasVideo=1
[Child 2125: Main Thread]: D/MediaDecoder MediaDecoder[133ffa100] FirstFrameLoaded, channels=2 rate=44100 hasAudio=1 hasVideo=1 mPlayState=PLAY_STATE_LOADING transportSeekable=1 Output Stream Rate: 44100 Hz (Cubeb initialization)
[Child 2125: MediaDecoderStateMachine #1]: I/cubeb CubebStreamInit output stream rate 44100 Conclusion: Since input source rate (44100 Hz) = output stream rate (44100 Hz), no resampling is occurring in Firefox's audio pipeline.
NOTE: To prevent software resampling by the macOS software mixer, set the sample rate to 44100Hz using the Audio MIDI Setup utility:
open -a Audio\ MIDI\ Setup.app Reference media files:
Robert de Visée Prélude et Allemande, Jonas Nordberg, theorbo
_https://youtu.be/qeUcGD4rRRc
The 10 Questions Everyone Asks About My 6-Foot, 14-String Lute [Theorbo]
_https://www.youtube.com/watch?v=X0lwWwJJfXk
The coolest LUTE I've ever seen!
_https://www.youtube.com/watch?v=4YmELV5p6ZY
Building Firefox On Linux
_https://firefox-source-docs.mozilla.org/setup/linux_build.html
_https://firefox-source-docs.mozilla.org/build/buildsystem/mozconfigs.html
A secret mozconfig to disable pulse-rust backend
$ cat .mozconfig
# Default: sourcedir/browser/config/mozconfig
. $topsrcdir/browser/config/mozconfig
mk_add_options MOZ_MAKE_FLAGS="-j$(expr $(nproc) + 2)"
mk_add_options MOZ_OBJDIR="$(dirname $topsrcdir)"/build_dir_ALSA
mk_add_options MOZ_APP_DISPLAYNAME="Firefox ALSA"
mk_add_options MOZ_SIMPLE_PACKAGE_NAME=firefox-alsa
ac_add_options --with-app-basename="Firefox ALSA"
ac_add_options --with-app-name=firefox-alsa
ac_add_options --prefix=/usr
ac_add_options --without-sysroot # classified
ac_add_options --enable-audio-backends=alsa
export LDFLAGS="-Wl,--no-keep-memory" cd firefox
git pull
./mach clobber
./mach configure
./mach build -v --priority normal
./mach run --version
./mach run
DESTDIR="$(dirname $(pwd))"/debdir_ALSA ./mach install NOTE: The documented configure options can be listed with ./configure --help, but some may not work depending on undocumented options. To understand which options are actually functional, you need to study the source code.
$ ./configure --help
Usage: configure.py [options]
Options: [defaults in brackets after descriptions]
Help options:
--help Print this message
Options from build/moz.configure/init.configure:
--enable-application Application to build. Same as --enable-project
--enable-project Project to build [browser]
--enable-artifact-builds Download and use prebuilt binary artifacts
--host Define the system type performing the build
--target Define the system type where the resulting executables will be used
--with-version-file-path Specify a custom path to app version files instead of auto-detecting
--as-milestone={early-beta,late-beta,release}
Build with another milestone configuration (e.g., as release)
--enable-update-channel Select application update channel [default]
--with-app-basename Typically stays consistent for multiple branded versions of a given application (e.g. Aurora and Firefox both use "Firefox"), but may vary for full rebrandings (e.g. Iceweasel). Used for application.ini's "Name" field, which controls profile location in the absence of a "Profile" field (see below), and various system integration hooks (Unix remoting, Windows MessageWindow name, etc
--prefix=PREFIX Install files using PREFIX as root directory [/usr/local]
--includedir=DIR C header files in DIR [/usr/include]
--libdir=DIR Object code libraries in DIR [/usr/lib]
Options from moz.configure:
--enable-artifact-build-symbols[={full}]
Download symbols when artifact builds are enabled
--disable-compile-environment
Disable compiler/library checks
--disable-tests Do not build test libraries & programs
--enable-debug Enable building with developer debug info (using the given compiler flags)
--with-debug-label Debug DEBUG_<value> for each comma-separated value given
--enable-release Build with more conservative, release engineering-oriented options. This may slow down builds.
--disable-unified-build Enable building modules in non unified context
--enable-valgrind Enable Valgrind integration hooks
--enable-build-backend={Clangd,ChromeMap,CompileDB,CppEclipse,FasterMake,FasterMake+RecursiveMake,RecursiveMake,StaticAnalysis,TestManifest,VisualStudio},...
Deprecated
--build-backends={Clangd,ChromeMap,CompileDB,CppEclipse,FasterMake,FasterMake+RecursiveMake,RecursiveMake,StaticAnalysis,TestManifest,VisualStudio},...
Build backends to generate [RecursiveMake,FasterMake,Clangd]
--enable-gtest-in-build Enable building the gtest libxul during the build
--enable-ui-locale Select the user interface locale (default: en-US) [en-US]
--enable-strip Enable stripping of libs & executables
--disable-install-strip Enable stripping of libs & executables when packaging
--with-system-zlib Use system libz
Options from build/moz.configure/bootstrap.configure:
--disable-bootstrap Disable bootstrap or update of toolchains
Options from build/moz.configure/toolchain.configure:
--disable-optimize Disable optimizations via compiler flags
--with-toolchain-prefix Prefix for the target toolchain
--with-compiler-wrapper Enable compiling with wrappers such as distcc and ccache
--with-ccache Enable compiling with ccache
--enable-gold Deprecated
--enable-linker Select the linker {bfd, gold, ld64, lld, lld-*, mold}
--disable-debug-symbols Disable debug symbols using the given compiler flags
--enable-address-sanitizer
Enable Address Sanitizer
--enable-memory-sanitizer
Enable Memory Sanitizer
--enable-thread-sanitizer
Enable Thread Sanitizer
--enable-undefined-sanitizer
Enable UndefinedBehavior Sanitizer
--enable-signed-overflow-sanitizer
Enable UndefinedBehavior Sanitizer (Signed Integer Overflow Parts)
--enable-unsigned-overflow-sanitizer
Enable UndefinedBehavior Sanitizer (Unsigned Integer Overflow Parts)
--enable-hardening Enables security hardening compiler options
--enable-stl-hardening Enable C++ STL hardening
--enable-frame-pointers Enable frame pointers
--enable-coverage Enable code coverage
--enable-clang-plugin Enable building with the Clang plugin (gecko specific static analyzers)
--enable-fuzzing Enable fuzzing support
--enable-snapshot-fuzzing
Enable experimental snapshot fuzzing support
--enable-cpp-rtti Enable C++ RTTI
--enable-path-remapping[={c,rust},...]
Enable remapping source and object paths in compiled outputs
--enable-dtrace Build with dtrace support
Options from build/moz.configure/memory.configure:
--enable-jemalloc Replace memory allocator with jemalloc
Options from build/moz.configure/warnings.configure:
--enable-warnings-as-errors
Enable treating warnings as errors
Options from build/moz.configure/flags.configure:
--enable-icf Enable Identical Code Folding
--disable-new-pass-manager
Use the legacy LLVM pass manager in clang builds
Options from build/moz.configure/lto-pgo.configure:
--enable-profile-generate[={cross}]
Build a PGO instrumented binary
--enable-profile-use[={cross}]
Use a generated profile during the build
--with-pgo-profile-path Path to the directory with unmerged profile data to use during the build, or to a merged profdata file
--with-pgo-jarlog Use the provided jarlog file when packaging during a profile-use build
--enable-lto[={full,thin,cross},...]
Enable LTO
Options from browser/moz.configure:
--disable-browser-newtab-as-addon
Disable bundling newtab as a built-in addon
Options from toolkit/moz.configure:
--with-distribution-id Set distribution-specific id [org.mozilla]
--disable-gecko-profiler Disable the Gecko profiler
--enable-dmd Enable Dark Matter Detector (heap profiler). Also enables jemalloc, replace-malloc and profiling
--enable-audio-backends={aaudio,alsa,audiounit,jack,opensl,oss,pulseaudio,sndio,sunaudio,wasapi},...
Enable various cubeb backends [pulseaudio]
--enable-alsa Enable ALSA audio backend
--enable-jack Enable JACK audio backend
--enable-pulseaudio Enable PulseAudio audio backend
--enable-sndio Enable sndio audio backend
--with-l10n-base Path to l10n repositories
--enable-default-toolkit={cairo-gtk3,cairo-gtk3-wayland,cairo-gtk3-x11-wayland,cairo-gtk3-wayland-only,cairo-gtk3-x11-only}
Select default toolkit [cairo-gtk3]
--with-system-pipewire Use system PipeWire
--with-system-gbm Use system gbm
--with-system-libdrm Use system libdrm
--with-gl-provider Set GL provider backend type
--disable-wmf Disable support for Windows Media Foundation
--disable-ffmpeg Disable FFmpeg for fragmented H264/AAC decoding
--disable-av1 Disable av1 video support
--with-system-av1 Use system av1 (located with pkg-config)
--disable-jxl Disable jxl image support
--disable-real-time-tracing
Disable tracing of real-time audio callbacks
--enable-openmax Enable OpenMAX IL for video/audio decoding
--enable-chrome-format={omni,jar,flat}
Select FORMAT of chrome files during packaging [omni]
--enable-minify[={properties,js},...]
Select types of files to minify during packaging [properties]
--with-mozilla-api-keyfile
Use the secret key contained in the given keyfile for Mozilla API requests
--with-google-location-service-api-keyfile
Use the secret key contained in the given keyfile for Google Location Service API requests
--with-google-safebrowsing-api-keyfile
Use the secret key contained in the given keyfile for Google Safebrowsing API requests
--with-bing-api-keyfile Use the client id and secret key contained in the given keyfile for Bing API requests
--with-adjust-sdk-keyfile
Use the secret key contained in the given keyfile for Adjust SDK requests
--with-leanplum-sdk-keyfile
Use the client id and secret key contained in the given keyfile for Leanplum SDK requests
--with-pocket-api-keyfile
Use the secret key contained in the given keyfile for Pocket API requests
--enable-webrender-debugger
Build the websocket debug server in WebRender
--enable-app-system-headers
Use additional system headers defined in $MOZ_BUILD_APP/app-system-headers.mozbuild
--disable-printing Disable printing support
--disable-synth-speechd Disable speech-dispatcher support
--disable-webspeech Disable support for HTML Speech API
--disable-webspeechtestbackend
Disable support for HTML Speech API Test Backend
--disable-skia-pdf Disable Skia PDF
--with-system-webp Use system libwebp (located with pkgconfig)
--disable-webdriver Disable support for WebDriver remote protocols
--disable-geckodriver Do not build geckodriver
--enable-webrtc Enable support for WebRTC
--enable-raw Enable support for RAW media
--enable-address-sanitizer-reporter
Enable Address Sanitizer Reporter Extension
--enable-proxy-bypass-protection
Prevent suspected or confirmed proxy bypasses
--disable-proxy-direct-failover
Disable direct failover for system requests
--disable-accessibility Disable accessibility support
--with-unsigned-addon-scopes={app,system},...
Addon scopes where signature is not required
--allow-addon-sideload Addon sideloading is allowed
--disable-extensions-webidl-bindings
Disable building experimental WebExtensions WebIDL bindings
--enable-launcher-process
Enable launcher process by default
--enable-bundled-fonts Enable support for bundled fonts on desktop platforms
--enable-reflow-perf Enable reflow performance tracing
--enable-layout-debugger Enable layout debugger
--with-system-libvpx Use system libvpx (located with pkgconfig)
--with-system-jpeg Use system libjpeg (installed at given prefix)
--with-system-png Use system libpng
--with-wasm-sandboxed-libraries={graphite,ogg,hunspell,expat,woff2,soundtouch},...
Enable wasm sandboxing for the selected libraries
--enable-disk-remnant-avoidance
Prevent persistence of auxiliary files on application close
--enable-forkserver Enable fork server
--disable-backgroundtasks
Disable running in background task mode
--enable-mobile-optimize Enable mobile optimizations
--disable-pref-extensions
Disable pref extensions such as autoconfig
--disable-startupcache Disable startup cache
--enable-official-branding
Enable Official mozilla.org Branding. Do not distribute builds with --enable-official-branding unless you have permission to use trademarks per http://www.mozilla.org/foundation/trademarks/
--with-branding=DIR Use branding from directory DIR
--with-crashreporter-url Set an alternative crashreporter url [https://crash-reports.mozilla.com/]
--with-system-libevent Use system libevent
--enable-crashreporter Enable crash reporting
--disable-dbus Disable dbus support
--enable-debug-js-modules
Enable debug mode for frontend JS libraries
--enable-dump-painting Enable paint debugging
--enable-libproxy Enable libproxy support
--enable-logrefcnt Enable logging of refcounts
--disable-negotiateauth Disable GSS-API negotiation
--disable-parental-controls
Do not build parental controls
--enable-sandbox Enable sandboxing support
--disable-system-extension-dirs
Disable searching system- and account-global directories for extensions of any kind; use only profile-specific extension directories
--with-system-pixman Use system pixman (located with pkgconfig)
--disable-universalchardet
Disable universal encoding detection
--disable-zipwriter Disable zipwriter component
--with-user-appdir Set user-specific appdir [.mozilla]
--enable-uniffi-fixtures Enable UniFFI Fixtures/Examples
--disable-system-policies
Disable reading policies from Windows registry, macOS's file system attributes, and /etc/firefox
--disable-legacy-profile-creation
Disable the creation a legacy profile, to be used by old versions of Firefox, when no profiles exist
--with-onnx-runtime Location of the ONNX Runtime
Options from js/moz.configure:
--with-app-name Used for e.g. the binary program file name. If not set, defaults to a lowercase form of MOZ_APP_BASENAME
--enable-js-shell Build the JS shell
--enable-decorators Enable experimental JS Decorators support
--disable-explicit-resource-management
Disable explicit resource management
--enable-portable-baseline-interp
Enable the portable baseline interpreter
--enable-portable-baseline-interp-force
Enable forcing use of the portable baseline interpreter
--enable-aot-ics Enable including ahead-of-time corpus of CacheIR IC bodies
--enable-aot-ics-force Enable forcing the AOT ICs option on without additional configuration
--enable-aot-ics-enforce Enable enforcing that only AOT IC corpus is used, crashing otherwise (TEST ONLY)
--enable-jit Enable use of the JITs
--enable-ion Deprecated
--enable-simulator={arm,arm64,mips64,loong64,riscv64}
Enable a JIT code simulator for the specified architecture
--enable-instruments Enable instruments remote profiling
--enable-callgrind Enable callgrind profiling
--disable-profiling Do not set compile flags necessary for using sampling profilers (e.g. shark, perf)
--disable-execution-tracing
Do not set compile flags necessary for running the JS execution tracer
--enable-vtune Enable VTune profiling
--enable-gc-probes Turn on probes for allocation and finalization
--enable-gczeal Enable zealous GCing
--enable-oom-breakpoint Enable a breakpoint function for artificial OOMs
--disable-jitdump Disable perf jitdump integration
--enable-jitspew Enable the Jit spew and IONFLAGS environment variable
--enable-masm-verbose Enable MacroAssembler verbosity of generated code
--disable-ctypes Disable js-ctypes
--enable-rust-simd Enable explicit SIMD in Rust code
--disable-spidermonkey-telemetry
Disable performance telemetry for SpiderMonkey (e.g. compile and run times)
--enable-wasm-codegen-debug
Enable debugging for wasm codegen
--wasm-no-experimental Force disable all wasm experimental features for testing
--enable-wasm-jspi Enable WebAssembly JS PI
--disable-shared-memory Disable JS/WebAssembly shared memory and atomics
--enable-wasm-simd Enable WebAssembly SIMD
--enable-wasm-avx Enable AVX support for WebAssembly SIMD
--enable-wasm-relaxed-simd
Enable WebAssembly relaxed SIMD
--enable-wasm-moz-intgemm
Enable WebAssembly intgemm private intrinsics
--disable-wasm-memory-control
Disable WebAssembly fine-grained memory control instructions
--disable-wasm-branch-hinting
Disable WebAssembly Branch hints
--with-sixgill Enable static checking of code using sixgill
--with-jitreport-granularity[={0,1,2,3}]
Default granularity at which to report JIT code to external tools (0 - no info, 1 - code ranges for while functions only, 2 - per-line information, 3 - per-op information) [3]
--with-system-icu Use system ICU
--without-intl-api Disable ECMAScript Internationalization API
--disable-icu4x Disable using ICU4X
--disable-wasm-type-reflections
Disable type reflection in WASM JS-API
--disable-wasm-resizable-arraybuffer
Disable resizable ArrayBuffer in WASM
Options from build/moz.configure/nspr.configure:
--with-system-nspr Use system NSPR
Options from build/moz.configure/rust.configure:
--enable-rust-tests Enable building and running of Rust tests during `make check`
--enable-rust-debug Build Rust code with debug assertions turned on
--disable-cargo-incremental
Disable incremental rust compilation
Options from build/moz.configure/bindgen.configure:
--with-libclang-path Absolute path to a directory containing Clang/LLVM libraries for bindgen (version 3.9.x or above)
--with-clang-path Absolute path to a Clang binary for bindgen (version 3.9.x or above)
Options from js/ffi.configure:
--with-system-ffi Use system libffi (located with pkgconfig)
Options from build/moz.configure/node.configure:
--disable-nodejs Require Node.js to build
Options from build/moz.configure/nss.configure:
--with-system-nss Use system NSS
Options from build/moz.configure/update-programs.configure:
--disable-updater Disable building the updater
--enable-unverified-updates
Enable application update without verifying MAR or updater binary signatures
--enable-default-browser-agent
Enable building the default browser agent
Environment variables:
Options from build/moz.configure/init.configure:
MOZ_AUTOMATION Enable options for automated builds
MOZCONFIG Mozconfig location
MOZILLABUILD Path to Mozilla Build (Windows-only)
CONFIG_SHELL Path to a POSIX shell
GIT Path to the git program
MOZILLA_OFFICIAL Build an official release
MOZBUILD_STATE_PATH Path to a persistent state directory for the build system and related tools
Options from moz.configure:
MOZ_BUILD_HOOK Path to the moz.build file that will be executed as if it were appended to every moz.build in the tree
MOZ_COPY_PDBS For builds that do not support symbols in the normal fashion, generate and copy them into the resulting build archive
MOZ_PGO Build with profile guided optimizations
READELF Path to the readelf program
OBJCOPY Path to the objcopy program
AWK Path to the awk program
MAKE Path to GNU make
GMAKE Path to the gmake program
WATCHMAN Path to the watchman program
XARGS Path to the xargs program
MKFSHFS Path to the mkfshfs program
HFS_TOOL Path to the hfs_tool program
STRIP_FLAGS Flags for the strip command
STRIP Path to the strip program
USE_LIBZ_RS Use libz-rs-sys instead of zlib
Options from build/moz.configure/toolchain.configure:
HOST_CPPFLAGS Extra flags for Preprocessing host sources []
HOST_CFLAGS Extra flags for compiling host C sources []
HOST_CXXFLAGS Extra flags for compiling host C++ sources []
HOST_LDFLAGS Extra flags for linking host object files []
CPPFLAGS Extra flags for preprocessing sources []
CFLAGS Extra flags for compiling C sources []
CXXFLAGS Extra flags for compiling C++ sources []
ASFLAGS Extra flags for assembling sources []
LDFLAGS Extra flags for linking object files []
LIBS Extra libraries for linking object files []
MOZ_OPTIMIZE_FLAGS Extra optimization flags
MOZ_HAZARD Build for the GC rooting hazard analysis
CCACHE_PREFIX Compiler prefix to use when using ccache
RUSTC_WRAPPER Wrap rust compilation with given tool
SCCACHE_VERBOSE_STATS Print verbose sccache stats after build
CC Path to the target C compiler
LD Deprecated
CXX Path to the target C++ compiler
HOST_CC Path to the host C compiler
HOST_LD Deprecated
HOST_CXX Path to the host C++ compiler
MOZ_DEBUG_FLAGS Debug compiler flags
AS Path to the assembler
LLVM_OBJDUMP Path to llvm-objdump
AR Path to the ar program
HOST_AR Path to the host_ar program
Options from build/moz.configure/pkg.configure:
PKG_CONFIG Path to the pkg_config program
Options from build/moz.configure/lto-pgo.configure:
LLVM_PROFDATA Path to the llvm_profdata program
MOZ_LD64_KNOWN_GOOD Indicate that ld64 is free of symbol aliasing bugs
Options from toolkit/moz.configure:
MOZ_STUB_INSTALLER Produce a stub installer
MOZ_SOURCE_REPO Project source repository
MOZ_SOURCE_CHANGESET Source changeset
MOZ_INCLUDE_SOURCE_INFO Include build repository informations
USE_FC_FREETYPE Force-enable the use of fontconfig freetype
MOZ_TELEMETRY_REPORTING Enable telemetry reporting
TAR Path to the tar program
UNZIP Path to the unzip program
MIDL_FLAGS Extra flags to pass to MIDL
MOZ_REQUIRE_SIGNING Enforce that add-ons are signed by the trusted root
DUMP_SYMS Path to the dump_syms program
MOZ_BRANDING_DIRECTORY Path to the directory used for branding resources
MOZ_OFFICIAL_BRANDING_DIRECTORY
Path to the directory used for official branding resources
MOZ_APP_DISPLAYNAME Branded application name
MOZ_DEV_EDITION Whether this a dev edition build
MOZ_MACBUNDLE_ID ID of the associated mac bundle
MOZ_APP_REMOTINGNAME Used for the internal program name, which affects profile name and remoting. If not set, defaults to MOZ_APP_NAME if the update channel is release, and MOZ_APP_NAME-MOZ_UPDATE_CHANNEL otherwise
MOZ_WINCONSOLE Whether we can create a console window
MOZ_CRASHREPORTER_MOCK Mock the crashreporter to test native GUIs
MOZ_SIMPLE_PACKAGE_NAME Package name override
MOZ_PKG_SPECIAL Name of special moz flavor
MOZ_PACKAGE_JSSHELL Whether the installer bundles the JS shell
Options from build/moz.configure/rust.configure:
RUSTC Path to the rust compiler
CARGO Path to the Cargo package manager
RUSTDOC Path to the rustdoc program
RUSTDOCFLAGS Extra options for the rustdoc program
RUSTFLAGS Rust compiler flags
RUSTC_OPT_LEVEL Rust compiler optimization level (-C opt-level=%s) [2]
Options from build/moz.configure/bindgen.configure:
CBINDGEN Path to cbindgen
RUSTFMT Path to the rustfmt program
BINDGEN_CFLAGS Options bindgen should pass to the C/C++ parser
Options from build/moz.configure/node.configure:
NODEJS Path to nodejs
Options from build/moz.configure/update-programs.configure:
MAR_CHANNEL_ID MAR channel identifier
ACCEPTED_MAR_CHANNEL_IDS Accepted MAR channel identifiers#9 Re: Freedom Hacks » UDisks2: Security Considerations » 2026-02-15 20:27:35
It's possible that it was just propaganda to make West to believe in it.
If you like conspiracy theories... maybe anti-AI propaganda is sponsored by Russians. Kremlin is not a charity organization.
#10 Re: Freedom Hacks » UDisks2: Security Considerations » 2026-02-15 13:02:06
The problem is not censorship, but mob censorship.
#11 Re: Freedom Hacks » UDisks2: Security Considerations » 2026-02-15 00:45:14
There was an old Polish joke from the 1930s. A group of hares tried to cross the Polish border. They said they needed refuge because the Soviet secret police were arresting camels. But you’re not camels! Yes, but how can we prove it?
#12 Re: Freedom Hacks » UDisks2: Security Considerations » 2026-02-15 00:29:59
The skepticism toward AI today parallels the Soviet-era rejection of cybernetics.
From 1950 to 1954, the reception of cybernetics by the Soviet Union establishment was exclusively negative. The Soviet Department for Agitation and Propaganda had called for anti-Americanism to be intensified throughout Soviet media, and in an attempt to fill the Department's quotas, Soviet journalists latched on to cybernetics as an American "reactionary pseudoscience" to denounce and mock. These attacks were interpreted as a signal of an official attitude to cybernetics, Soviet writers thus portraying cybernetics as "a full embodiment of imperialist ideology” during Joseph Stalin's premiership.
_https://en.wikipedia.org/wiki/Cybernetics_in_the_Soviet_Union
Nikita Khrushchev called genetics and cybernetics "prostitutes of capitalism."
Nikolai Vavilov, a geneticist, was arrested in 1940 and died in prison in 1943.
He was a fellow of the Royal Society, that is why, perhaps, we know what happened to him.
The fates of many other Soviet scientists remain obscure.
_https://en.wikipedia.org/wiki/Nikolai_Vavilov
Victor Glushkov: Insights to Remember
... In 1952, he earned his doctorate by proving the Fifth Generalized Problem of Hilbert and continued his academic career. In 1956, he headed the modeling and computing technology laboratory at the Mechanical Institute in Kyiv, where Sergey Lebedev and his team assembled the first European computer MESM.
In 1957, Glushkov transformed his lab into the Computing Center of the Academy of Sciences. In five years, it evolved into the separate Institute of Cybernetics...It is fascinating to delve into the intriguing narrative of how Glushkov navigated resistance to defend his mindset against Soviet bureaucrats, dragging talented managers into the swamp of the communist party's internal struggle.
_https://glushkov.dataart.com
For some strange reason, Victor Glushkov did not hate AI. In 1970, he developed the Evidence Algorithm (EA) as a research program in artificial intelligence focused on automated theorem proving. He considered AI as a part of cybernetics.
The Soviet rejection of cybernetics and repression of scientists contributed to its problems with technological innovations and failure in the Cold War arms and computing race.
#13 Re: Freedom Hacks » UDisks2: Security Considerations » 2026-02-14 16:35:07
Censorship doesn't necessarily mean editing. There are many ways to silence someone.
There are many subtle ways to discourage someone from posting on a forum — beyond outright censorship. Constant accusations, excessive moderation, personal attacks, or repeatedly questioning someone's intent can create a hostile environment that pushes people away.
#14 Re: Freedom Hacks » UDisks2: Security Considerations » 2026-02-14 16:19:43
You seem to insist on your right to censor my posts.
#15 Re: Freedom Hacks » UDisks2: Security Considerations » 2026-02-14 15:28:52
Disliking AI doesn’t entitle you to censor someone else’s posts.
#16 Re: Freedom Hacks » UDisks2: Security Considerations » 2026-02-14 14:39:47
In security, when everything focuses on the exposed, the greatest risk lies in what remains unseen. When a threat or system is exposed, it naturally draws scrutiny and defense — but the real risk often lies in what remains hidden: unpatched systems, shadow IT, unknown assets, or undisclosed vulnerabilities.
Removing D-Bus may create a false sense of security. While it reduces one attack surface, it can break system functionality and distract from real threats.
Why this is a trap:
D-Bus is foundational: It coordinates communication between system components (e.g., network management, power, Bluetooth). Removing it can cause instability or force insecure workarounds.
Security through removal ≠ security: Just because a service is gone doesn’t mean the system is safer. Attackers may exploit other vectors (e.g., direct IPC, file system races).
False confidence: Believing the system is “more secure” because D-Bus is gone can lead to neglecting actual hardening (e.g., access controls, logging, updates).
Security isn't achieved by stripping out critical components, but through proper understanding and control of the system.
#17 Freedom Hacks » UDisks2: Security Considerations » 2026-02-13 23:23:13
- igorzwx
- Replies: 41
UDisks2: Security Considerations
UDisks2 is a system service that provides a D-Bus interface for managing storage devices, enabling non-privileged users to mount, unmount, format, and resize storage media — commonly used in desktop environments. While convenient, its design introduces several security considerations, particularly around privilege escalation, mount option handling, and access control policies.
On Debian and its derivatives, udisks2 is responsible for auto-mounting USB storage devices. By default, Windows filesystems (NTFS, FAT, exFAT) are mounted with executable permissions for all files, which can appear strange or insecure.
This happens because:
Windows filesystems do not support Unix-style permissions.
Linux synthesizes permissions at mount time using default masks.
udisks2, by default, does not apply restrictive fmask/dmask values or noexec — presumably for backward compatibility — especially to allow execution of Linux binaries stored on NTFS (e.g., in dual-boot scenarios).
As a result, all files get the execute bit by default unless explicitly masked.
Automounting USB drives with default udisks2 settings can act as a backdoor, especially when files are mounted with unnecessary execute permissions (755 instead of 644). This behavior affects NTFS, exFAT, and VFAT filesystems due to how Unix permissions are emulated.
A backdoor in the architecture? One imagines it serves a purpose — conceivably, for operational convenience, should access be required at a later juncture...
One supposes a backdoor in Linux is not without precedent — merely a precaution, one assumes, for those occasions when entry must be effected without undue formality.
Why It's a Risk
All files become executable: On Windows filesystems, udisks2 applies default masks that often result in files having execute bits — a security hazard if scripts or binaries are auto-executed.
Privilege escalation vulnerabilities exist: Recent CVEs (e.g., CVE-2025-6019, CVE-2025-8067) show that udisks2 can be exploited for local privilege escalation if not patched.
Runs as root: The udisksd daemon handles mount operations with root privileges, making misconfigurations dangerous.
How to restrict permissions
Create /etc/udisks2/mount_options.conf to override default mount options. Example configuration to enforce noexec and restrictive permission masks:
[defaults]
vfat_defaults=uid=$UID,gid=$GID,shortname=mixed,utf8=1,noexec,dmask=022,fmask=133
exfat_defaults=uid=$UID,gid=$GID,iocharset=utf8,errors=remount-ro,noexec,dmask=022,fmask=133
ntfs_defaults=uid=$UID,gid=$GID,noexec,dmask=022,fmask=133 This is a security-hardened configuration. It adds noexec to prevent execution of binaries and uses dmask=022 and fmask=133 to ensure directories are created with 755 permissions and files with 644 on Windows filesystems.
NOTE: After saving, no restart is needed — UDisks2 reads the configuration file dynamically. Simply unplug and replug your USB stick, then verify the file permissions. UDisks2 applies changes on the next mount, so reinserting the device is sufficient. No daemon restart is required.
Why this configuration
vfat: Replaces showexec with noexec and adds restrictive masks builtin_mount_options.conf:4-5
exfat: Adds noexec and masks (exfat doesn't have flush by default) builtin_mount_options.conf:8-9
ntfs: Uses generic ntfs_defaults for broader driver compatibility builtin_mount_options.conf:11-17
Why this works
On Linux, mounted Windows filesystems (like FAT, exFAT, NTFS) default to permissions derived from 777 for both files and directories.
dmask=022 sets directory permissions: 777 - 022 = 755 (rwxr-xr-x).
fmask=133 sets file permissions: 777 - 133 = 644 (rw-r--r--).
noexec is a standard mount option that prevents the execution of binaries on the mounted filesystem.
The builtin mount options confirm these filesystems support dmask and fmask in their _allow lists builtin_mount_options.conf:4-17. UDisks2 always adds nodev,nosuid,uhelper=udisks2 for security configurable_mount_options.xml:87-88.
Privilege Escalation Vulnerabilities
Recent vulnerabilities have demonstrated that UDisks2 can be exploited for Local Privilege Escalation (LPE), allowing unprivileged users with console access to gain full root privileges.
CVE-2025-6019: A critical flaw where UDisks2, through its interaction with libblockdev, failed to enforce proper security mount flags (nosuid, nodev) during filesystem resize operations. An attacker could:
Create a malicious XFS image containing a SUID-root executable.
Use a loop device to attach the image.
Trigger a resize operation via udisksctl resize, causing the image to be mounted temporarily by the system.
Because the mount lacked nosuid and nodev, the attacker could then execute the SUID-root binary and gain full root access.
CVE-2025-8067: An out-of-bounds read vulnerability allowing unprivileged users to access sensitive files (e.g., /etc/shadow, private keys) via improper memory boundary checks during file operations. While not directly granting code execution, it enables data exfiltration for further attacks.
The UDisks daemon (udisksd) runs as root, and the test suite requires root privileges integration-test:131-133 udisks2.spec:280-282 .
Details
Daemon privileges: The daemon is installed to run with elevated privileges and manages system-wide storage operations udisks2.spec:280-282 . Helper processes spawned by the daemon can drop privileges via setuid/setgid in child_setup udisksspawnedjob.c:394-431 .
Test requirement: The integration test suite explicitly checks for root and exits if not running as root integration-test:131-133 .
Client tools: udisksctl does not assume root and relies on polkit for authorization, while the daemon runs with elevated privileges to perform privileged actions udisksctl.xml.in:471-474 .
Notes
The daemon’s privilege-dropping logic in udisksspawnedjob.c is for spawned jobs, not the daemon itself.
The test suite’s root check is in src/tests/integration-test integration-test:131-133 .
Attack Surface and Vectors for UDisks2
UDisks2 presents a significant attack surface because it runs as root and exposes a D-Bus API to unprivileged users. The main attack vectors include:
Key Attack Vectors
D-Bus Interface Exposure udisks.xml.in:25-42 shows that any unprivileged application can access the org.freedesktop.UDisks2 D-Bus interface. This is the primary attack surface—an attacker can invoke methods on storage devices without direct filesystem access.
Authorization Bypass (Polkit) udisksdaemonutil.c:754-783 implements authorization checks via Polkit. If Polkit is misconfigured, masked, or has vulnerabilities, attackers can bypass authorization. The code shows that if authority == NULL, it falls back to a less secure authorization path.
Input Validation Vulnerabilities. The NEWS file documents a critical buffer overflow vulnerability: NEWS:2796-2800 describes CVE-2014-0004, where specially crafted mount paths could cause the daemon to crash or execute arbitrary code as root.
Race Conditions (TOCTOU) NEWS:2756-2757 mentions "Fix TOCTOU race when making directories," indicating time-of-check-time-of-use vulnerabilities exist in directory creation logic.
Module Loading udisksdaemon.c:83 shows the daemon loads modules dynamically via UDisksModuleManager. Malicious or compromised modules could execute arbitrary code with root privileges.
Device File Operations udiskslinuxblock.c:4104-4155 shows the handle_open_device method opens device files. Symlink attacks or race conditions during file operations could lead to privilege escalation.
Privilege Escalation via Spawned Jobs shows the daemon spawns child processes and attempts to drop privileges. Bugs in this privilege-dropping logic (setuid/setgid calls) could allow privilege escalation.
Critical Operations Requiring Authorization
The daemon handles sensitive operations that require Polkit authorization:
Filesystem mounting/unmounting udiskslinuxfilesystem.c:904-962
Partition modification udiskslinuxpartition.c:108-160
Secure erase operations udiskslinuxdriveata.c:2406-2470
Device opening udiskslinuxblock.c:4133-4149
Each of these is a potential attack vector if authorization checks are bypassed.
Notes
The daemon's root privilege combined with its broad D-Bus exposure makes it a high-value target. Historical vulnerabilities (CVE-2014-0004) show that memory safety issues and race conditions have been exploited. The modular architecture and dynamic module loading add additional complexity to the attack surface.
Why It's a High-Value Target
Root Privilege + Broad Attack Surface: The daemon runs as root and exposes a D-Bus API accessible to any unprivileged application. udisks.xml.in:25-42 This combination means a successful exploit grants root-level code execution to an attacker who can send D-Bus messages.
Critical Historical Vulnerabilities: NEWS:2796-2800 documents CVE-2014-0004, a buffer overflow in mount path parsing that allowed arbitrary code execution as root. This wasn't a theoretical vulnerability—it was exploitable through normal user operations (creating long mount points via FUSE).
Control Over Storage Operations: The daemon manages critical operations including:
Filesystem mounting/unmounting
Partition creation and modification
Encryption/decryption (LUKS)
Device formatting
Compromising UDisks2 gives an attacker control over the entire storage stack, potentially allowing data theft, corruption, or persistence mechanisms.
Prevalence: UDisks2 is a standard component on most Linux desktop and server systems, making it a broad target across many machines.
Mitigating Factors
Polkit Authorization: The daemon implements Polkit-based authorization checks for sensitive operations. This means not every D-Bus caller can perform privileged actions—they must pass
authorization checks first.
Active Maintenance: The codebase shows ongoing security fixes. The CVE-2014-0004 vulnerability was patched, and the project continues to address issues like TOCTOU races. NEWS:2756-2757
Verdict
UDisks2 is a legitimate high-value target because:
Root-level code execution is the ultimate prize
Historical vulnerabilities prove exploitability
It's ubiquitous on Linux systems
It controls critical system resources
However, the actual risk depends on whether an attacker can reach it (D-Bus access) and whether Polkit is properly configured. A well-hardened system with restrictive Polkit policies reduces the risk; a misconfigured one increases it significantly.
Notes
The daemon's broad functionality and root privileges do create a substantial attack surface. The existence of CVE-2014-0004 demonstrates that these aren't theoretical concerns.
There is no explicit mention of CVE-2025-6019 or CVE-2025-8067 in the NEWS file or source comments. However, the described vulnerabilities align with UDisks2’s loop device and filesystem-resize logic.
CVE-2025-6019 (XFS resize LPE)
Issue: A crafted XFS image with a SUID-root shell is resized by UDisks2, causing it to be mounted without nosuid/nodev, allowing privilege escalation.
Relevant code: Filesystem resizing is handled via the Resize method on the Filesystem interface org.freedesktop.UDisks2.xml:2787-2790 . Mount options are computed in udisks_linux_calculate_mount_options (not shown in context) and applied during mount operations in udiskslinuxfilesystem.c udiskslinuxfilesystem.c:1180-1214 . The NEWS does not show a fix for this CVE in the provided snippets.
CVE-2025-8067 (Loop device OOB read)
Issue: The loop device handler fails to validate a negative file index, leading to an out-of-bounds read.
Relevant code: Loop setup is handled in handle_loop_setup in udiskslinuxmanager.c udiskslinuxmanager.c:335-401 . The code extracts an fd_index from a GVariant and validates it against the length of the fd_list, but the provided snippet does not show explicit negative-index validation. Loop device state is tracked in udisks_state_add_loop and udisks_state_has_loop udisksstate.c:1663-1681 udisksstate.c:1832-1871 . No explicit fix for this CVE appears in the context.
Notes
The NEWS file in this context only lists historical CVEs (e.g., CVE-2014-0004) NEWS:2796-2800 and does not include 2025 entries.
To confirm whether these CVEs are addressed in the repo, check the full NEWS file or recent commits for mentions of “CVE-2025-6019” or “CVE-2025-8067,” or look for validation hardening in loop setup and resize paths.
The loop setup code does validate that the fd index is within bounds (fd_num >= g_unix_fd_list_get_length(fd_list)) udiskslinuxmanager.c:383-393 , but negative-index handling is not visible in this snippet.
Transparency and Trustworthiness of UDisks2
UDisks2 simulates reasonable transparency about security issues, though like any complex system, vulnerabilities do occur. The project's trustworthiness depends on several factors visible in the codebase.
Evidence of Transparency
Security Disclosure in NEWS: The project maintains a detailed changelog documenting security fixes. NEWS:2796-2800 shows CVE-2014-0004 was publicly disclosed and fixed. This pattern suggests the project doesn't hide vulnerabilities.
Public Bug Tracking: udisks.xml.in:388-403 and udisksctl.xml.in:499-506 both direct users to report bugs via GitHub's public issue tracker, indicating an open development model.
Active Maintenance: The codebase shows continuous development with AUTHORS:91-131 listing numerous contributors across multiple years, and the NEWS file documenting regular releases and fixes.
Limitations and Risks
Vulnerabilities Still Occur: The recent CVEs (CVE-2025-6019, CVE-2025-8067) show that despite active maintenance, security issues are discovered. This is normal for any software, but it means UDisks2 is not "perfectly secure."
Complexity Creates Risk: The daemon's broad functionality — mounting filesystems, managing loop devices, handling encryption — creates a large attack surface. shows loop device setup involves multiple validation steps, but as CVE-2025-8067 demonstrates, edge cases (negative indices) can be missed.
How to Evaluate Trust
Keep systems patched: Security fixes are released; apply them promptly
Review Polkit policies: udisks.xml.in:44-62 shows authorization is configurable—restrict who can perform sensitive operations
Monitor for updates: The project actively fixes issues when discovered
Understand the risk model: UDisks2 is a privileged daemon; treat it accordingly in your threat model
The project is reasonably transparent by open-source standards, but "trust" should be conditional on keeping it updated and properly configured.
Notes
The existence of CVEs doesn't indicate a lack of transparency — it indicates the project is actively maintained and vulnerabilities are being found and fixed. The real question is whether you trust the maintainers to patch issues promptly, which the evidence suggests they do.
UDisks2 does exhibit the appearance of transparency through public bug tracking and CVE disclosure, but the recent CVEs (CVE-2025-6019, CVE-2025-8067) demonstrate that vulnerabilities reach production despite these practices. The transparency is real but incomplete—it's reactive (fixing issues after discovery) rather than preventive.
The Transparency Mechanisms
The project does maintain public channels: udisks.xml.in:388-403 directs bug reports to GitHub, and NEWS:2796-2800 documents security fixes like CVE-2014-0004. This is genuine transparency infrastructure.
However, the infrastructure's effectiveness is limited. The loop device handler in validates that fd_num >= g_unix_fd_list_get_length(fd_list), but this check doesn't catch negative indices—exactly the vulnerability CVE-2025-8067 exploits. This suggests the validation logic was incomplete at release time, despite being reviewed code.
The Core Problem
The issue isn't dishonesty; it's that complexity defeats transparency. A daemon managing storage operations across multiple technologies (filesystems, loop devices, encryption, partitions) creates a large attack surface. shows mount option calculation and shows the Resize method — both are security-sensitive operations where edge cases can be missed.
Transparency here is more about admitting problems after they're found than preventing them beforehand.
Notes
The distinction matters for trust decisions. You can trust UDisks2 to patch vulnerabilities when discovered, but you shouldn't trust it to be free of vulnerabilities. The project's transparency is genuine but operates within the limits of what code review and testing can catch.
#18 Re: Freedom Hacks » Turnstile: security considerations and potential issues » 2026-02-10 10:11:40
Here are the key security considerations and potential issues:
Socket Permissions and Access Control
The control socket uses permissive permissions (0666) allowing connections from non-root users turnstiled.cc:47 , but relies on platform-specific credentials checking to verify the peer's UID/GID/PID utils.cc:25-111 . This design requires proper implementation on each supported platform.
Privilege Separation
The daemon runs as root but service managers are executed with dropped privileges after proper setup exec_utils.cc:126-145
Resource limits are sanitized before PAM session setup to prevent privilege escalation exec_utils.cc:106-124
Process Management and Timeouts
Implements a 60-second timeout for service manager startup to prevent hanging logins turnstiled.cc:55 turnstiled.conf.5.scd.in:93-97
Service managers that fail to signal readiness are terminated and runtime directories are cleaned up turnstiled.cc:1043-1054
Resource Management
Runtime directories are created with proper ownership and permissions
Cleanup occurs on logout unless lingering is enabled turnstiled.cc:1071-1075
Known Limitations
When integrating with polkit, sessions may be treated as non-local
unless polkit is patched, potentially affecting authentication README.md:110-122Root session management is disabled by default due to potential security implications turnstiled.conf.5.scd.in:99-104
Running as root increases the attack surface if vulnerabilities exist in the daemon or its PAM interaction.
Although it uses a modular backend design (e.g., shell scripts to launch user services), privilege separation is minimal; the main daemon itself does not drop privileges.
There is no built-in privilege separation framework, unlike systems such as OpenSSH or systemd, which use sandboxing or process isolation.
In practice, this means trust is placed in the correctness of the code and its PAM configuration, with no fine-grained containment.
Relying on the accuracy of code described by developers as a "work in progress" constitutes an unusual and risky security practice, as it introduces significant vulnerabilities due to incomplete testing, lack of peer review, and potential design flaws.
_https://github.com/chimera-linux/turnstile
The daemon needs to be running in some way. Usually you will spawn it as a system-wide service. It needs to be running as the superuser.
_https://github.com/chimera-linux/turnstile
Yes, the turnstiled deamon must run as root. This is explicitly documented and required for its core functionality.
Why Root is Required
The daemon performs privileged operations that necessitate root access:
System Directory Management: Creates directories in /run for session tracking turnstiled.cc:1276-1298
Runtime Directory Creation: Creates and chowns XDG_RUNTIME_DIR for users fs_utils.cc:55-124
Socket Operations: Binds to system paths and sets up the control socket turnstiled.cc:890-943
PAM Session Management: Establishes PAM sessions for users exec_utils.cc:316-322
Security Design
While running as root, the daemon implements:
Credential verification: Only UID 0 can create sessions turnstiled.cc:297-300
Privilege separation: Service managers run with dropped privileges exec_utils.cc:339-349
Root checks: Verifies it's running as root before privileged operations exec_utils.cc:310
The README explicitly states: "It needs to be running as the superuser" README.md:78-81 .
Notes
The daemon accepts connections via a permissive socket (0666) but enforces security through platform-specific credential checking, allowing the PAM module to communicate while maintaining access control turnstiled.cc:47 .
Any daemon running as root is inherently an attractive target for attackers. Turnstiled is no exception.
Security Reality
Turnstiled runs as root and accepts connections via a 0666 socket turnstiled.cc:47 , making it a high-value target. A compromise could allow session hijacking or privilege escalation.
Mitigations in Place
The daemon implements several security measures:
Credential verification: Every connection is authenticated using platform-specific methods (SO_PEERCRED on Linux, LOCAL_PEERCRED on BSD, etc.) utils.cc:25-111
Access control: Only UID 0 can create sessions turnstiled.cc:297-300
Privilege separation: Service managers run with dropped privileges exec_utils.cc:339-349
Resource limits: Sanitizes rlimits before PAM session setup exec_utils.cc:106-124
Attack Surface
The primary attack vectors would be:
Bugs in credential checking code
Protocol parsing vulnerabilities
Race conditions in process management
Memory corruption in the daemon
Notes
While the design is deliberate for PAM integration turnstiled.cc:40-46 , it does increase the attack surface. The security relies heavily on the correctness of the credential verification implementation. Regular security audits and keeping the daemon updated would be essential for any deployment.
The documentation does present a tension between the "work in progress" status and the security requirements.
What the Documentation States
The README explicitly labels Turnstile as "a work in progress effort" README.md:3-5 while simultaneously stating it "needs to be running as the superuser" README.md:78-81 . There is no explicit security warning about this combination.
Security Considerations in Code
The code does implement security measures:
Platform-specific credential verification for all connections
Only UID 0 can create sessions turnstiled.cc:297-300
Privilege separation for service managers
However, the design acknowledges accepting connections from non-root processes as a deliberate trade-off turnstiled.cc:40-46 .
Missing Documentation
What's absent from the documentation:
No explicit warning about running Work-In-Progress (WIP) software as root
No security audit status or review process mentioned
No clear statement about production readiness
Notes
This is a valid concern. While the code implements standard security practices for a session tracker, users should be aware that running any "work in progress" daemon as root carries inherent risks. The documentation could be more transparent about these risks and the current security posture of the project.
The project seems to place considerable faith in its users' understanding of the inherent risks involved.
The users are invited to trust developers who have not fully disclosed the security risks associated with running work-in-progress (WIP) software with root privileges.
Transparency is a key pillar of trust in software development.
In cybersecurity, trust must be earned through demonstrable actions, not assumed or invited. When developers work on software that requires elevated privileges like root access, the stakes are significantly higher. A lack of transparency about known risks, especially in Work-In-Progress (WIP) software, undermines user safety and ethical responsibility.
Transparency was, of course, something of a guiding principle in Linux and open-source software, and one rather hopes it might linger on.
#19 Re: Freedom Hacks » Turnstile: security considerations and potential issues » 2026-02-10 01:44:48
Yes, it’s a bit like saying the kettle’s warm when it’s actually boiling — in Linux circles, flagging “security considerations” around a login manager isn’t just caution, it’s a quiet nod to the “don’t trust anything unless you’ve poked it with a stick” rule.
“This thing runs as root, touches logins, and isn’t covered in layers of armour. Best have a proper look under the bonnet before you let it near your front door.”
It’s not fearmongering — more a stiff upper lip way of saying:
“Assume nothing. Verify everything. Especially if it’s holding the keys.”
Downplaying security issues doesn’t calm nerves — it tends to do the opposite. People aren’t alarmed by the risks — they’re alarmed by the suggestion that someone isn’t taking them seriously. Ignoring concerns doesn’t make them vanish — it just makes people wonder what else is being ignored.
#20 Re: Freedom Hacks » Turnstile: security considerations and potential issues » 2026-02-09 23:36:55
"Turnstile: Security considerations and potential issues" might be a neutral and appropriate title.
It avoids alarmist language, doesn't assume intent or severity, and fairly signals a balanced review of possible concerns — exactly what one would expect from a technical or security assessment.
“Not dramatic, not dismissive — just a quiet invitation to have a proper look under the bonnet.”
#21 Re: Freedom Hacks » Turnstile: security considerations and potential issues » 2026-02-09 21:56:03
Your title “I don’t like turnstile” suggests a rather black-and-white take on things, doesn’t it? — as if one must choose between knowing every last detail and simply getting on with it.
It’s not entirely fair to say it’s just a trade-off between knowledge and convenience — more like a quiet agreement to stop asking awkward questions in exchange for fewer flat tyres.
“Perfectly sensible, really — so long as you don’t mind not knowing where the car’s actually going.”
Turnstile might be attractive to hackers — not because it’s weak, but because it’s sitting there with a sign saying “important things this way”.
It’s a bit like fitting a fancy lock on a shed that’s full of tools: looks secure, but also tells the thief exactly where to start looking.
So yes — it’s not a password manager, but it does run as root and handle login sessions. And if a hacker’s prowling about?
“They’d be daft not to give it a poke.”
#22 Freedom Hacks » Turnstile: security considerations and potential issues » 2026-02-09 13:01:06
- igorzwx
- Replies: 8
One might very gently suggest that there are one or two lingering niggles about Turnstile — nothing major, mind you, more of a slight twitch of unease among the more cautious sorts.
It’s possible the word “login” itself sets off a faint, almost imperceptible alarm in certain ears — a bit like hearing the phrase “secure your bunker” during a light drizzle. Nothing to get your knickers in a twist over, but one can’t help noticing how the term does carry a certain… gravitas.
As the British might say: “Oh, it’s all perfectly fine — unless you’re the sort to worry about who’s watching the door. And the windows. And possibly the cat.”
Security Limitations and Polkit Integration
A key security limitation arises when polkit (PolicyKit) interacts with sessions managed by Turnstile.
That means things like polkit may treat anything running within turnstile as a non-local session, and may not authenticate the processes. There is no way to get around this limitation outside of patching polkit, see Chimera's patches for reference. The alternative is not registering it at all, which will not make polkit work, as the session tracking logic in it will not be able to assign the processes to any UID and things will not work either. Systemd user services are treated specially by systemd, as they are recognized by the service manager, but are explicitly not considered to be a part of any session (as they are shared); that means polkit will fall back to looking up whether any seated session for the UID exists.
_https://github.com/chimera-linux/turnstile
If pam_systemd or pam_elogind is used in the PAM configuration for Turnstile, the session may be registered without a proper seat. This causes polkit to treat the session as non-local, which can prevent proper authentication for certain operations.
Processes running within such a session may be denied privileged actions even for legitimate users.
There is no workaround without patching polkit itself, as noted in Chimera’s documentation.
Not registering the session at all leads to similar issues, as polkit cannot map processes to a UID correctly.
This creates a security-policy enforcement gap, especially in desktop environments where user privileges must be accurately determined.
Known Issues and Workarounds
Several functional and security-related issues have been reported:
Group membership not fully recognized: In some cases, tools like doas or sudo fail because secondary groups (e.g., wheel) are not properly propagated during session startup. This stems from the backend (e.g., dinit-userservd) launching services using only the UID and GID, without initializing the full group list.
DBus session exposure: Users have reported that Turnstile sometimes fails to export the DBus session environment, leading to broken user services that depend on D-Bus communication. _https://github.com/chimera-linux/turnstile/issues/2
Graphical vs. text session ambiguity: Turnstile currently cannot distinguish between graphical (e.g., X11/Wayland) and text (TTY/SSH) sessions, which limits context-aware service management.
These issues affect both usability and security, particularly in multi-user or privilege-escalation scenarios.
One could quietly observe that while the goal’s rather noble and the method quite elegant, the implementation does have a tendency to keep one busy on a Saturday evening — not in the way one might hope.
It’s not entirely undocumented, of course — more of a light suggestion of instructions, really — leaving ample room for what one might call creative troubleshooting. And as for debugging or penetration tests? Well, let’s just say they’re best approached with a sober mind, unless one enjoys chasing ghosts in the logs with a glass of something strong.
“It’s not broken — just… enthusiastically unpredictable.”
Here are the key security considerations and potential issues:
Socket Permissions and Access Control
The control socket uses permissive permissions (0666) allowing connections from non-root users turnstiled.cc:47 , but relies on platform-specific credentials checking to verify the peer's UID/GID/PID utils.cc:25-111 . This design requires proper implementation on each supported platform.
Privilege Separation
The daemon runs as root but service managers are executed with dropped privileges after proper setup exec_utils.cc:126-145
Resource limits are sanitized before PAM session setup to prevent privilege escalation exec_utils.cc:106-124
Process Management and Timeouts
Implements a 60-second timeout for service manager startup to prevent hanging logins turnstiled.cc:55 turnstiled.conf.5.scd.in:93-97
Service managers that fail to signal readiness are terminated and runtime directories are cleaned up turnstiled.cc:1043-1054
Resource Management
Runtime directories are created with proper ownership and permissions
Cleanup occurs on logout unless lingering is enabled turnstiled.cc:1071-1075
Known Limitations
When integrating with polkit, sessions may be treated as non-local
unless polkit is patched, potentially affecting authentication README.md:110-122Root session management is disabled by default due to potential security implications turnstiled.conf.5.scd.in:99-104
Notes
The codebase appears to implement standard security practices for a session tracker, including privilege separation, credential
verification, and resource cleanup. The main security considerations are around the permissive socket permissions (mitigated by credential checking) and the polkit integration limitations.
Yes, the Turnstile daemon runs as root, as confirmed by its documentation: the daemon must be spawned as a system-wide service with superuser privileges to manage session state and launch user service managers.
While this is necessary for core functionality — such as tracking sessions, setting up XDG_RUNTIME_DIR, and spawning user services — it introduces inherent security considerations:
Running as root increases the attack surface if vulnerabilities exist in the daemon or its PAM interaction.
Although it uses a modular backend design (e.g., shell scripts to launch user services), privilege separation is minimal; the main daemon itself does not drop privileges.
There is no built-in privilege separation framework, unlike systems such as OpenSSH or systemd, which use sandboxing or process isolation.
In practice, this means trust is placed in the correctness of the code and its PAM configuration, with no fine-grained containment. As one might say:
It’s not alarming, per se — more of a "keep your fingers crossed and mind the gap" situation.
Ah, yes — having a daemon run as root is not so much a problem as it is handing the keys to the castle to a particularly excitable squirrel.
One might say:
“It’s perfectly fine — as long as you’re comfortable with the idea that if anything slightly goes awry, it won’t just trip over the rug… it’ll delete the rug, burn the house, and format the garden.”
Running as root means the daemon has full run of the system — great for trust, dreadful for security. If there’s a bug, a misconfiguration, or a slightly overambitious typo, it’s not “oops, that broke a thing” — it’s “ah, there goes the entire machine.”
And if a clever sort on the internet does manage to pop in through a crack?
“Well, they’re not exactly breaking in — more like being handed the master key, a torch, and a note saying ‘Make yourself at home.’”
So yes — it’s technically functional. But from a security standpoint?
“Let’s just say it’s not paranoid to want a bit more formality before handing over total control.”
The good news is, you can enable debugging by editing /etc/turnstile/turnstiled.conf — it’s not exactly well-documented, mind you, but it does involve flipping the debug option to yes in the config file.
# Enable verbose debug logging
debug = yes
# Also send debug messages to stderr
debug_stderr = yesAfter that, just restart the turnstiled service, and the logs should start revealing a few of its more elusive secrets.
“Nothing too alarming — just don’t be surprised if the logs start reading like a mystery novel with half the pages missing.”
While the design of Turnstile does raise a few eyebrows, it’s not so much a flaw as a deliberate bit of juggling — trading some of the usual Linux security formalities for greater flexibility in how PAM ties in.
It’s a bit like rewiring the house to take a fancy new appliance: the lights still work, but you might wonder if the fuse box is up to code.
So, one might politely ask:
“Are we quite sure we want a Linux that’s light on tradition — or have we just thrown the front door key into the garden for convenience?”
#23 Re: Freedom Hacks » what about "turnstile" for user services? » 2026-02-09 01:15:29
Do you think it’s quite secure enough for Devuan users to try, or might there be a few little things to sort out first?
#24 Re: Freedom Hacks » what about "turnstile" for user services? » 2026-02-09 00:25:33
_https://github.com/chimera-linux/turnstile
Turnstile is a work in progress effort to create a session/login tracker to serve as a fully featured alternative to the logind subproject from systemd, and to provide a neutral API to both our session tracker and to logind itself.
What do you think "work in progress" means in this context?
It’s not entirely without problems:
_https://github.com/chimera-linux/turnstile/issues
#25 Re: Freedom Hacks » what about "turnstile" for user services? » 2026-02-08 14:15:11
It’s worth noting Turnstile is still a bit of a work-in-progress. It might be a touch temperamental, so don’t be surprised if it all goes a bit pear-shaped.
Board footer
