chroot (sandbox) your browser?

Due to overwhelming demand, we have created a forum just dedicated to Toughbook users who use Linux!
Message
Author
User avatar
kode-niner
Posts: 700
Joined: Sat Jun 07, 2014 7:39 am
Location: Canada

chroot (sandbox) your browser?

#1 Post by kode-niner »

Anybody consider doing this? With the excellent security (NOT) of flash, java and plugins for whatever browser you use, this is a thing I've been doing on my permanent installs. Although I admit I've been slacking lately so I'm revising my Toughbooks.

Why do this? Running stuff in a chroot jail makes sure that if your application runs amok and tries to pwn your system, it won't get very far and access all your files, or worse. The problem is techniques vary and results can be less than perfect if you want to launch a chroot browser in one command or menu item.
Daily drives a CF-31

UNCNDL1
Posts: 509
Joined: Wed Nov 16, 2011 8:01 pm
Location: New England

Re: chroot (sandbox) your browser?

#2 Post by UNCNDL1 »

I'll have to do some reading on this and try it out. Any tips or pitfalls?
CF-53 MX-Linux 21 Wildflower
CF-30 MK2 SSD MX-21 Betsy, MK2 Navigatrix, Fundraiser for TbT
CF-52 GUN SSD MX-19
(NICE) Thanks Sadlmkr
CF-M34 MicroWattR8 Thanks Sadlmkr
CF-M33 MicroWattR8 Thanks Springfield

User avatar
kode-niner
Posts: 700
Joined: Sat Jun 07, 2014 7:39 am
Location: Canada

Re: chroot (sandbox) your browser?

#3 Post by kode-niner »

Look into chroot and debootstrap for creating a chrooted environment to play with. The caveats with this is that almost all methods require you to use sudo or edit /etc/sudoers if you want to make launching your browser as simple as possible.

Another method was to launch your browser under an unprivileged user. The point for that was to run the browser process under a bogus user that has access to absolutely nothing but his own files. It's not as secure as a chroot but in my opinion works sufficiently well but the methods could get messy and requires scripts and using xhost to allow this user to connect to the X server to launch the application.

Right now I stumbled upon sandfox http://igurublog.wordpress.com/download ... t-sandfox/ which attempts to make running sandboxed processes much easier. It's quite simple to install but it does require more sudo-ing. I'll look into this and any other easy methods and post back here. Right now I'm going to play with sandfox and attempt to understand how it works.
Daily drives a CF-31

User avatar
kode-niner
Posts: 700
Joined: Sat Jun 07, 2014 7:39 am
Location: Canada

Re: chroot (sandbox) your browser?

#4 Post by kode-niner »

Interesting. sandfox sort of creates a chrooted environment in temporary mount points in order to isolate and execute applications. It's only working on my desktop PC so far and I haven't tried it on other than my CF-19 Debian workhorse. I am currently taking a closer look at how it copies and saves firefox/iceweasel or other browser profiles between sessions, so that you can keep your bookmarks and plugins intact.
Daily drives a CF-31

User avatar
kode-niner
Posts: 700
Joined: Sat Jun 07, 2014 7:39 am
Location: Canada

Re: chroot (sandbox) your browser?

#5 Post by kode-niner »

I've been gone for a while, folks. I'm back! I'm going to post the best method for chrooting your browser in a bit, which is a full chroot with debootstrap. Sandfox is proving to be unreliable. I have my desktop PC to setup soon so I'll take notes.
Daily drives a CF-31

User avatar
kode-niner
Posts: 700
Joined: Sat Jun 07, 2014 7:39 am
Location: Canada

Re: chroot (sandbox) your browser?

#6 Post by kode-niner »

Just to let you guys know I haven't forgotten this. Just been kind of busy. And when I'm not, I just want to disconnect my brain and stay away from keyboards.
Daily drives a CF-31

UNCNDL1
Posts: 509
Joined: Wed Nov 16, 2011 8:01 pm
Location: New England

Re: chroot (sandbox) your browser?

#7 Post by UNCNDL1 »

Wondering if certain browsers are better than others along with what you are talking about, i.e. this one:
http://www.dillo.org/
CF-53 MX-Linux 21 Wildflower
CF-30 MK2 SSD MX-21 Betsy, MK2 Navigatrix, Fundraiser for TbT
CF-52 GUN SSD MX-19
(NICE) Thanks Sadlmkr
CF-M34 MicroWattR8 Thanks Sadlmkr
CF-M33 MicroWattR8 Thanks Springfield

User avatar
kode-niner
Posts: 700
Joined: Sat Jun 07, 2014 7:39 am
Location: Canada

Re: chroot (sandbox) your browser?

#8 Post by kode-niner »

Quite possibly. But it's Adobe Flash, Javascript and JRE that are making me paranoid. On Windows, having software silently installed and infect your system by just browsing a site is comically common. I'd like to avoid full access to my files from my browser process on my Linux systems.
Daily drives a CF-31

glitch
Posts: 61
Joined: Sun Dec 07, 2014 2:39 pm
Location: Around Kansas City

Re: chroot (sandbox) your browser?

#9 Post by glitch »

I rebuild my systems so often it is not a concern, but have you looked into selinux, and the package "harden". I have just found that one of our professers here at school would like to make a hacking team, he deals with security stuff. When I found out learn stuff from him I will relate it here.

Windows didnt understand ownership and file permissions and as a result the virus/malware/spyware grew.

I will look around and see if I can find anything to help, I was thinking you could write a bash script to launch
everything. There is a command that lists which process is linked to which process, but I cant recall it at the
moment I will find it and then you can pipe its output through grep to a file to track what "browser" it connected or calling to.

Off to class.
glitch

CF-19 Mk-1 / CF-M34 / CF-27 / CF-28 / CF-29 Mk-1 / CF-H1 Field/Health

“The soul is dyed the color of its thoughts. Think only on those things that are in line with your principles and can bear the light of day. The content of your character is your choice. Day by day, what you do is who you become. Your integrity is your destiny - it is the light that guides your way.” Heraclitus ~5 bc

User avatar
kode-niner
Posts: 700
Joined: Sat Jun 07, 2014 7:39 am
Location: Canada

Re: chroot (sandbox) your browser?

#10 Post by kode-niner »

The command to find out what files are currently being accessed by a running process is lsof. With no arguments or grepping, it lists all open files.
For example:

Code: Select all

lsof | grep firefox
But that's besides the point. What you need to know is what user can access which files or directories. This is the most basic way to display this info and I am aware that there are better methods.
Login as the non-root user then:

Code: Select all

find / -readable
Or what can be modified:

Code: Select all

find / -writable
or executed

Code: Select all

find / -type f -executable
When a process is launched under that user, such as a child process from a java applett running under your browser, it could technically access all those files and directories. SELinux won't help you since this is just a basic permissions issue. You quite simply don't want untrusted processes to be able to access files and run commands under that user. And don't get me started with an OS that by default allows regular joe user to use sudo without a password.

There were two ways of keeping a process such as a browser to keep from reading files that it shouldn't. One is to run the process under another user and group that doesn't have free reign over the rest of your other user's files. It's not perfect since there are always files every user needs to see such as /etc/passwd and it can still execute any binary or script under that user. The other way is to run its own chroot jail and that is what I am going to explain here.
Daily drives a CF-31

Post Reply

Return to “The LINUX forum!!!”