Re: chroot (sandbox) your browser?
Posted: Thu May 21, 2015 9:54 am
Hey guys, sorry for letting this one slide. Browser security is still a very important topic for me. It should be to you as well, especially if you're running an OS that allows you to sudo everything without a password, but I'll leave that topic for another thread. So far I've tried a few things.
Making a full chroot OS is possibly the safest but it comes with a few caveats. Everything you do in that browser is stuck in the chroot, including uploading and downloading files. There are ways to work around this but it gets messy. I'd use this only if I were really paranoid about visiting dangerous sites, like for testing and forensics. It's also a pain to setup and use.
Sandfox is descibed as the poor man's sandbox and seemed promising at first. However it seemed buggy and sometimes it would crash or not work at all. With a bit more research I'm sure I would have managed to get it right, but I gave up. It might actually work much better on other distributions without modifying the script. I still think this might be worth a second look.
Firejail seems like a decent compromise between ease of use and a full chroot jail. This is what I'm running now. It's also on Debian repositories so it's as easy as running apt-get install firejail and running firejail firefox or firejail google-chrome from the command line to get decent security. It only causes problems with certain Firefox extensions that rely on external programs to work, like Video Downloader conversion utilities or Open in Chrome.
Making a full chroot OS is possibly the safest but it comes with a few caveats. Everything you do in that browser is stuck in the chroot, including uploading and downloading files. There are ways to work around this but it gets messy. I'd use this only if I were really paranoid about visiting dangerous sites, like for testing and forensics. It's also a pain to setup and use.
Sandfox is descibed as the poor man's sandbox and seemed promising at first. However it seemed buggy and sometimes it would crash or not work at all. With a bit more research I'm sure I would have managed to get it right, but I gave up. It might actually work much better on other distributions without modifying the script. I still think this might be worth a second look.
Firejail seems like a decent compromise between ease of use and a full chroot jail. This is what I'm running now. It's also on Debian repositories so it's as easy as running apt-get install firejail and running firejail firefox or firejail google-chrome from the command line to get decent security. It only causes problems with certain Firefox extensions that rely on external programs to work, like Video Downloader conversion utilities or Open in Chrome.