You are not logged in.
Pages: 1
As we were just talking about it another thread, I thought I would share some tips for using Palemoon and some of it's extensions. Feel free to add here if you have any tips yourself.
Sandboxing Palemoon can be done with firejail.
apt-get install firejail
Firejail already has a profile for Palemoon so you don't need to configure it.
firejail palemoon
That's it, sandboxed.
Update: If you run into issues disable seccomp support in /etc/firejail/palemoon.profile
#seccomp
One of the problems with some XUL extensions is that PM is not compatible with australis that some extensions use. Australis is a newer user interface and theme Firefox uses. But that doesn't mean these extensions don't always work, just that the interface is broken.
One work around for incompatible extensions is to use the moon tester tool extension. This makes it possible to use the install button for some AMO extensions, even if they are not completely compatible.
The Classic Add-ons archive extension provides a viewable archive of XUL extensions.
Some extensions that work:
uBlock Origin has working legacy builds.
Greasemonkey for Palemoon is interesting for tinkering with in browser user scripts.
The noscript legacy builds for Firefox 52 ESR work in PM (missing upper tray icon).
HTTPSEverwhere version 5.2.21 works except for the interface.
Last edited by chillfan (2017-12-16 20:37:42)
Offline
I have been running it for a while in 3 different distros and I have been happy with it.
Today I noticed that I was about 4versions back already.
I use the pminstaller.sh since the installation and it is still the same version. I tried update and it said NO-NO.
I then tried the install and it told me I should remove the original. I did and it said it was removed. Although in the system it still showed as installed. So I tried remove so I can install from scratch. I then used apt to remove it.
So I run the installer yet again, it reached 86% and then stalled. I killed it and I run it again, starting from 0%
Finally I am back to a current PM, no sensible change. The huge firefox-esr installed in a fraction of overall time and used it to get to check if the installer is current. The PM site is not functional with dillo, a script safe browser for minimalists.
Wild ride!
Offline
Offline
Correction,
All of the above is true for Devuan, on the same system on Artix and Obarun the palemoon updater/installer worked fine
I just download the .deb and dpkg it manually, works fine, no need for updater or any hoo-ha.
FYI newest PM (27.6.2) requires newer version of libdbus-1-3 than what's in devuan jessie, but I have successfully used the dbus packages from ascii in my jessie installs and they are working fine as is PM.
Last edited by greenjeans (2017-12-20 21:05:18)
https://sourceforge.net/projects/vuu-do/
Vuu-do GNU/Linux, minimal Devuan-based openbox systems to build on, maximal versions if you prefer your linux fully-loaded.
Please donate to support Devuan and init freedom! https://devuan.org/os/donate
Offline
Pale Moon for Linux release binaries
http://linux.palemoon.org/download/mainline/
I use ^this host for my copy, of course by choosing the architecture. Extract and run from a $HOME directory.
https://github.com/StevenBlack/hosts
https://github.com/Yhonay/antipopads
StevenBlack & Yhonay adblocks by using hosts@etc. Efficient enough for my purposes.
about:config?filter=/^javascript.enable/
Block javascript with double-click, enough to create a shortcut-link to Bookmar Toolbar.
Navigating with JavaScript disabled by set the value "false".
Last edited by Nili (2018-01-26 14:00:41)
Tumbleweed - KDE Plasma (Wayland) - Breeze (LeafDark) [Qt]
♪Mahara★Japaaan!
Offline
Let's say you want some scripts in some pages, but not on the rest, this solution is inconvenient. The no-script button https://www.informaction.com you can click to ublock temporarily or permanently or permanently block a single site. On a classic news/media article you will be surprised on how many sites are at it studying who you are and what you are interested in.
This here forum works fine with no scripts. Not your usual situation this days.
On mx/anti-x not only you need scripts but you need them to go through clouds to get to it.
“The reasonable man adapts himself to the world: the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man.”
― George Bernard Shaw
Offline
Pale Moon for Linux release binaries
http://linux.palemoon.org/download/mainline/
I use ^this host for my copy, of course by choosing the architecture. Extract and run from a $HOME directory.https://github.com/StevenBlack/hosts
https://github.com/Yhonay/antipopads
StevenBlack & Yhonay adblocks by using hosts@etc. Efficient enough for my purposes.about:config?filter=/^javascript.enable/
Block javascript with double-click, enough to create a shortcut-link to Bookmar Toolbar.
Navigating with JavaScript disabled by set the value "false".
I use steve blacks hosts file as well, fantastic resource. Ive not heard of yhonay adblocks hosts, will have to check that out.
I also use a customized user.js and ublockO.
Offline
I use steve blacks hosts file as well, fantastic resource. Ive not heard of yhonay adblocks hosts, will have to check that out.
I also use a customized user.js and ublockO.
There was a good conversation @StevenBlack/hosts for this host.
Also updated frequently. I was there and caught it. Since then, i regularly use them
Of course they do not have the ability to block host on real time like proper ad-block with menu (right/left-click "block it!"),
But we can do pretty much blockages manually @hosts with IP aswell. Also this technique i find lighter for my browser or system resources.
Last edited by Nili (2018-01-27 17:49:09)
Tumbleweed - KDE Plasma (Wayland) - Breeze (LeafDark) [Qt]
♪Mahara★Japaaan!
Offline
is this really a sandbox?
when i run $firejail palemoon
the first thing i notice that my default homepage is not loading (because its a html file deep down in my ~)
so that is working, good
however when i download foo from www.foo.bar it ends up in my ~/Downloads
dont know what to make out of this
Offline
Firejail does the same thing on firefox. It is a feature not a bug. Since information can pass both ways, it prevents access to your personal information. It took me a while to adjust to it.
Offline
Firejail does the same thing on firefox. It is a feature not a bug. Since information can pass both ways, it prevents access to your personal information. It took me a while to adjust to it.
Indeed the sandbox only lets you access downloads. So if you want to upload something into your browser (e.g an email attachment) just drop it in downloads first. If you want to add more append whitelist <directory path> to /etc/firejail/palemoon.profile.
It's worth noting about Firejail that Steve Pusser also offers a newer version of firejail that's compatible with Palemoon (which releases quickly and has no LTS), so it's best to use his builds.
Last edited by chillfan (2018-03-19 16:10:17)
Offline
TorBrowser offers a sandboxed-browser and on its configuration you are asked whether and which directories outside the sb is the program allowed to access or to specify a sandboxed folder where you can place things before and retrieve things after. It even asks you whether you want audio/visual drivers enabled within the sb to isolate it even more. Even a task manager run inside a sandbox can not even see the system but a fake one. It seems as firejail has slackened stuff up and made defaults of a more liberal sb system. It was stricter on those things when it started. It seems also that TB sb project has been placed in storage and is not developing lately.
There is also "containers" like lxc which may interest you
Offline
> stricter on those things when it started.
ok, glad to hear someone else also noticed this. I had mixed thoughts on the noticeably lax default settings. On one hand, seemed like a sellout, a dumbing-down, catering toward "one-click install (and done)" users. On the other hand, if the dev doesn't cater to those users, the project winds up with "bad press word-of-mouth" from casual users who've tried it, and discovered that "it broke stuff" so uninstalled it without bothering to learn about adjusting profile settings.
Offline
I just download the .deb and dpkg it manually, works fine, no need for updater or any hoo-ha.
I used gdebi, figured it be updated since going that route. But I'm still on 27.8.1 with the latest at 27.9 so upgrading is
manual I guess.
Playing around with my anonsurf hobby, and checking to confirm ip changes - I kept seeing the same ol` user agent.
Grabbed the addon: User Agent Overrider: 'Override browser User-Agent string'. (latest updated pkg)
and that changs now to.
Where to turn, when pm starts slowing down & gets bloated?
miyoisomix.i2p
Offline
Where to turn, when pm starts slowing down & gets bloated?
xkill works a treat and when you reopen PM, the killed browser session pops up and asks if you want to restore.
Offline
using noscript and firejail is WAY! better than just noscript, because its better isolation between the browser and the host os.
and if you throw in a good hosts file like the thread says, its even better because now youre totally blocking the worse known offenders who serve the scripts that do the naughty things that noscript could block and firejail may prevent from touching your computer. not bad!
heres the stuff that people miss though, when they run firejail and/or use a good hosts file but dont use noscript (or use yesscript instead):
* cross site vulnerabilities-- you have a rogue script or rogue site that is exploiting vulnerabilities between tabs-- hosts file helps some, firejail maybe none.
* firejailbreakers-- probably very rare if they exist, but noscript may prevent scripts from ever running that theoretically could break through firejail if they ran
* sites with random/dynamic subdomains-- these can totally circumvent host files in some instances. dfskndfcn-zckf95jn.adserver-bs.com
* sites that use ip addresses instead of dns, obviously. noscript will protect you and hosts wont.
you can use hosts.allow and/or hosts.deny (its been too long since ive tried this) to create a hosts whitelist instead of a scripts whitelist. no one is crazy enough to do that, but credit where credit is due to the hosts list-- its a powerful thing if you want it to be, but the resolution isnt very high on it.
tl;dr: firejail is not a noscript replacement; but it is still awesome.
Last edited by figdev (2018-05-18 02:57:49)
Offline
There was a short-lived conversation on FDN about firejail a few months ago. I thought it important to remember that truly paranoid users need pay mind to hardware and their kernel.
http://forums.debian.net/viewtopic.php?p=644598#p644598
Also, the Linux kernel itself is vulnerable to a broad range of exploits thanks to the developers' refusal to prioritise security-related bugs until relatively recently.
So to presume that the same developers can then conjure up a "secure layer" is rather optimistic, in my opinion.
There have been many demonstrated vulnerabilities in the kernel namespace feature (used by firejail & co.), I think it would be folly to rely on it too much.
I can recommend OpenBSD for online banking use, their kernel has been designed with exploit prevention in mind for the last 20 years 8)
Always remember:
NSA wrote:Security is a state of mind.
In terms of Palemoon tips, while I'm using it a lot less these days (solely because of webkit limitations), the biggest asset is researching, trying new plugins, and if they break, research any alternatives. One of the best plugins is Palemoon Commander, which gives you access to an incredible amount of security and privacy options. You can also make most of the same tweaks as you could with firefox in about:config.
Unfortunately, don't expect too much, because mainstream Firefox is completely changing, and it's disincentivizing past addons' developers from continuing backward compatibility; uMatrix, which offers script-blocking utilities, no longer works, and I'm getting the sense that noscript compatibility has died as well -- all of which is a shame. That coupled along with trivial disputes between Moonchild Studios and other distributions, including openbsd, and I'm not sure I see much light at the end of Palemoon's tunnel. There's another thread here about different browsers, if you'd like to see a comparison: https://dev1galaxy.org/viewtopic.php?id=1697
Last edited by siva (2018-05-18 12:36:32)
Offline
kudos for pointing out the relative weaknesses of firejail-- im sure its clear that (at least from my perspective) im not dissing firejail and im confident it will help more than nothing; its just about figuring out when (and to what extent) its effective and helpful.
im not dissing the kernel i use daily either, but im aware of the advantages (and the downsides) of the bsd kernel. (downsides: convenience. only one i know of, s'why i use the linux one.)
i wouldnt tell people "dont use firejail" and i dont think anybodys said that yet, simply use it and know what its good for (and not good for.) fsr is an advocate of it from what i can tell, and i figure his reasons are good enough. pointing out the limitations is good too, like when you download tor and it says "and this is what tor does not do..." a very important side of things when you do stuff for security reasons.
Last edited by figdev (2018-05-18 19:15:55)
Offline
I don't know the details of how firejail works, but I understand that it limits access to the user's directories. I imagine there are ways around it, but every little hurdle will help. Pretty sure I've been using firejail ever since you (fig) told me about it. That was back on the refracta forum in a thread about Xephyr, I think.
There's also sandboxy, which I know even less about and have never tried. Has anyone here used it?
Offline
Pretty sure I've been using firejail ever since you (fig) told me about it.
isnt that hilarious? i thought i heard about it from you! but youre probably right though. i wonder who recommended it to me... probably the guy from my forum. (no, no, old forum. not up anymore.)
well, whichever one of us started that, i still think firejail is a great idea. what would be bad is letting people think they have some kind of bulletproof shield when the weaknesses are known. like it probably will stop bullets-- but only up to a certain caliber.
when they sell/promote security solutions, they often focus on just the capabilities. when you look for/need security solutions, you really need to be told both the capabilities and the limitations. this disparity is partly why users know so little about whats safe. (also, its probably true that most dont care, thats not really unfair to say.)
Last edited by figdev (2018-05-18 21:57:13)
Offline
Pages: 1