Page 1 of 4 123 ... LastLast
Results 1 to 10 of 35

Thread: Sandfox - A Poor Man's Firefox Sandbox

  1. #1
    Join Date
    Feb 2007
    Beans
    206
    Distro
    Kubuntu

    Sandfox - A Poor Man's Firefox Sandbox

    So Fedora 12 has a convenient sandbox for running Firefox and other apps. Chrome runs sandboxed. And Windows 7 can even run IE sandboxed (allegedly). But in trying to find an easy, ready-to-go sandbox for Ubuntu and Arch I didn't find anything. Given Firefox's use of the exploit-ridden Flash, Java, and third-party plugins, I think this is an important ability.

    For those who aren't familiar, a sandbox is a way of running an app in a way that limits its access to the system resources. For example, Firefox running in a sandbox would only be able to access a limited subset of the filesystem - only the folders you include in the sandbox. This way any processes Firefox uses, such as Java, Flash, and plugins, are also limited.

    There are full (over-)blown solutions for this, such as AppArmor, SELinux (which is how Fedora apparently accomplishes it), and others. But none ready to go with no configuration. (Plus, I personally don't put a lot of trust in Novell or SELinux.) And I trust Google with my private data as much as I trust Microsoft, so Chrome is nothing I want anything to do with. The lack of options led me to develop Sandfox, which is designed to be easy to use and also flexible.

    In the easy department, you can install Sandfox and have Firefox running in a sandbox with one command:
    Code:
    sudo sandfox firefox
    In the flexible department, any app can be run sandboxed, either sharing a single sandbox or one for each program, based on profiles you can create.

    Sandbox is written in pure bash and uses only core Linux commands to create a chroot jail for Firefox. I wrote this primarily for my own use (and I'm writing this post from a sandboxed Firefox) but I'm sharing it because I think it fills a niche for a ready-to-go app sandbox. I'll let you review the website for the additional details. If you have any questions feel free to ask.
    http://igurublog.wordpress.com/downl...cript-sandfox/

    Code:
    sandfox --help
    
    Usage: sandfox [OPTIONS] [COMMAND [ARG]...]
    Runs COMMAND as a normal user within a chroot jail sandbox with limited
    access to the filesystem.  Supports profiles for apps and includes a default
    Firefox profile. Must be run as root when creating sandbox.  Examples:
     sudo sandfox firefox                    # Runs Firefox in a sandbox
     sudo sandfox bash                       # Shell to explore a sandbox
    OPTIONS:
    --bindro TARGET           Include TARGET (a file or folder) in the sandbox
                                bind-mounting it as a read-only filesystem
    --bind TARGET             Include TARGET (a file or folder) in the sandbox
                                with same ownership and permissions when possible
    --copy TARGET             Place a disposable copy of TARGET (a file or folder)
                                in the sandbox
    --hide TARGET             Include TARGET (a file or folder) in the sandbox
                                by bind-mounting an empty file or folder onto it
                                Effectively hides the real TARGET from the sandbox
                                Also provides a writable dummy folder
    --profile PROFILE         Load PROFILE (a profile name or pathname).  By
                                default profiles are stored in /etc/sandfox
    --make                    Force creation or update of a sandbox (make is
                                implied if you specify binds or profiles)
    --sandbox NAME            Specify name of sandbox to use, create, or update
    --close NAME              Unmount and remove sandbox NAME
    --closeall                Unmount and remove ALL sandboxes
    --status                  Show the status of all current sandboxes
    --shell                   Run COMMAND in a shell and wait.  Requires root.
                                (bash is always run in a shell)
    --user USERNAME           Run command as USER in the sandbox - useful if
                                auto-detection does not work or to override
    --profilefolder FOLDER    Use FOLDER instead of the default profile folder
                                IMPORTANT: should be root owned & write-protected
    --logfile LOGFILE         Also append messages to LOGFILE.  sandfox daemons
                                will also update this file provided it is
                                accessible from within the sandbox.
    --verbose                 Provide detailed feedback
    --quiet                   Minimize output messages
    NOTES: OPTIONS must precede COMMAND; you can also use OPTION=VALUE; binds are
    processed in this order: bindro bind copy hide; missing binds are ignored; if
    a profile for COMMAND exists it will be automatically loaded; default profile
    is always loaded; profiles may contain any options valid on the command line;
    if COMMAND is omitted, a sandbox will be created for use.
    Check out my blog for useful scripts and tips... http://igurublog.wordpress.com

  2. #2
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Sandfox - A Poor Man's Firefox Sandbox

    Congrats for all that work.

    I believe the Fedora sandbox you are referring to uses selinux to sandbox apps and it is not fully functional as of yet (assuming we are talking the same sandbox here).

    http://danwalsh.livejournal.com/31146.html

    The equivalent would be to use Apparmor, and starting with Ubuntu 9.10 there is a default apparmor profile for firefox.

    I would trust selinux and apparmor long before I trusted a chroot jail (not that chroot jails are bad, just there are not that hard to break out of either).

    Another option would be to use LXC, and ssh in with Xepher. LXC are very similar to chroot, but much improved in terms of security.
    Last edited by bodhi.zazen; February 5th, 2010 at 02:13 AM.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  3. #3
    Join Date
    Feb 2007
    Beans
    206
    Distro
    Kubuntu

    Re: Sandfox - A Poor Man's Firefox Sandbox

    Quote Originally Posted by bodhi.zazen View Post
    Congrats for all that work.
    Thanks - I'm learning a lot with it.

    The equivalent would be to use Apparmor, and starting with Ubuntu 9.10 there is a default apparmor profile for firefox.
    Right - personally I would not use AppArmor or SELinux. If you don't mind state- and corporate-sponsored backdoors they will stop script kiddies, I'm sure. They're probably good for the enterprise level. But if I wanted a huge trojan I'd run Windows. Given the origins and affiliations of Novell and SELinux, it's a bit like having the fox guarding the chickens. But that's just me. There are other full-blown solutions I would use before I would use those.

    I would trust selinux and apparmor long before I trusted a chroot jail (not that chroot jails are bad, just there are not that hard to break out of either).
    From my research into it, and from speaking with people more knowledgeable than myself, chroot jails aren't that hard to break out of if you have root running in them. In Sandfox's case, only a normal user runs in a root-enforced chroot jail, which is quite secure. I'll owe you a nickel if you can show me how to break out of a Sandfox sandbox.

    But I'm not suggesting this is intended to replace the likes of SELinux, etc., which also handle network access and other issues. This is just a filesystem jail that has the advantage of using core Linux commands. Perhaps it will get people more interested in sandbox potentials, and then they'll move on to greater things. Mainly, this provides a pretty tough layer between the app and the filesystem - should be as tough as any use of root. And without any dependencies on huge libraries of allegedly peer-reviewed code.

    Another advantage to this approach is it uses virtually no system resources - Firefox will run at full speed. (In fact, it could be my imagination but it seems to run faster.) Also, it has the ability to create a disposable copy of your .mozilla folder in the sandbox and destroy it when the sandbox is closed.

    Another option would be to use LXC, and ssh in with Xepher. LXC are very similar to chroot, but much improved in terms of security.
    I looked at LXC briefly but one problem I have with such solutions is that they don't seem to follow the Keep It Simple approach. But I'm going to look at that some more.

    Thanks for your comments and suggestions.
    Check out my blog for useful scripts and tips... http://igurublog.wordpress.com

  4. #4
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Sandfox - A Poor Man's Firefox Sandbox

    Well, both SELinux and Apparmor are open source, and no back door has yet been identified. Apparmor is no longer maintained by Novell.

    I used to trust chroot jails, but once you learn to break out you will not trust them as much as you do now. This is why people develop alternates such as LXC, OpenVZ, Xen, and BSD jails.

    Other then that, this is not a proof of concept forums (in terms of breaking out of jails), but ask those you trust, who are more knowledgeable then you, to explain how to break out of chroot jails.

    In terms of simplicity,

    Code:
    sudo aa-enforce firefox
    done . Right back at you, I will give you a nickle if you can break out of the firefox apparmor profile. I will give you dime if you can demonstrate a back door to either selinux or apparmor.

    Now you may wish to change some of the settings in the default profile, that is up to you.

    If you wish to remove .mozilla, take a look at shread or dd.

    Take care with your argument re: "root confined". With a default installation all system files are root confined, so, at the end of the day, how is it your confinement is any better then the defaults ? I would caution that it is not. The ability to alter system files implies root access, which implies root access within your chroot, which implies escape. This is the problem that tools such as selinux and apparmor are trying to address, restricting even root.

    LXC is not a viable alternate yet if you want simple, give the project some time to develop the user tools and it likely will be.

    I am not trying to discourage you, but, if you get over your bias re: aa and selinux you may find them to be very viable and secure options.

    I am also cautioning you that your confinement is not as strong as you think it is. An exploit that allows one to run arbitrary code implies root access and you have not confined root.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  5. #5
    Join Date
    Feb 2007
    Beans
    206
    Distro
    Kubuntu

    Re: Sandfox - A Poor Man's Firefox Sandbox

    Take care with your argument re: "root confined". With a default installation all system files are root confined, so, at the end of the day, how is it your confinement is any better then the defaults ?
    It is not better than the defaults, it is merely as good as them. Sandfox doesn't aim to address protecting apps as much as it aims to address protecting user's data. I discuss this in my article Fear Not Root if you're interested. Simply put, root may protect system files (the least valuable and most easily replaced data on your system), but it does nothing for most PC user's data, nor does it stop arbitrary code from running.

    Sandfox's design aims to use the power of root to protect more of that data.

    I am not trying to discourage you, but, if you get over your bias re: aa and selinux you may find them to be very viable and secure options.
    I simply don't trust their origins. I can't demonstrate a backdoor, but I'll bet if I reviewed the million lines of code I could find one. It would then be labeled a 'mistake' and corrected. It's called plausible deniability.

    At any rate, that's just my personal, irrational take on it as a card-carrying skeptic of anything corporate built and NSA influenced. These are the people whose business it is to steal. I don't think their primary concern is your security.

    But I'm not suggesting Sandfox is military-grade security. It's more like making files owned by root and inaccessible as far as some apps are concerned.

    An exploit that allows one to run arbitrary code implies root access and you have not confined root.
    Not at all. It does not require root access to run arbitrary code in Linux. Any user can compose or download software and run it. You may need root to install it, but not to run it. Like many devs, you are thinking that the most valuable data are the system files. I consider that the least valuable data on a PC.
    Check out my blog for useful scripts and tips... http://igurublog.wordpress.com

  6. #6
    Join Date
    Feb 2007
    Beans
    206
    Distro
    Kubuntu

    Re: Sandfox - A Poor Man's Firefox Sandbox

    At any rate, I appreciate the dialog with bodhi.zazen - he brought up some good points to consider. But some of that went far off-topic in terms of what Sandfox does, so let me just clarify what Sandfox does and does not do.

    Imagine if you didn't trust Firefox, Java, Flash, and 3rd party plugins, so before you ran it, you logged in as root and made some folders root-owned and inaccessible. Then you ran the program. You have effectively used the power of the root account to create a sandbox for Firefox (and every other app running as a normal user on your entire system). Since Firefox is running with your user privileges, unless it has an exploit to get root privileges, it can't access some files. This mechanism is at the core of how Linux limits users.

    That is really all Sandfox does - it just does it in a more convenient way. Instead of sandboxing all apps at once, it just sandboxes the apps you choose. But the rest is about the same - root is used to protect your data.

    As far as jail-breaking, most of those techniques revolve around getting root out of a jail. While I am not an expert on jail-breaking, I have reviewed the techniques from various sources, and they simply don't work as a normal user. You are welcome to try them in a Sandfox sandbox, but since you don't have root, it will be basically as difficult as getting root access on your Linux system when you don't have the root password. In fact it will be more difficult, since you won't have access to the whole filesystem - you won't be able to run su, for example, even if you DO have the root password. Sandfox just uses the already-established root mechanism of Linux, extending it to protect your user data, which Linux generally does a poor job of. I discuss this in Fear Not Root.

    Sandfox does not aim to confine root - if someone has an exploit to get root access through your running Firefox as a normal user, your system is probably vulnerable whether Sandfox is running or not, although it would be a bit tougher for it if Sandfox is running. But this is not the nature of most privacy issues introduced by Firefox and similar apps. They don't rely on privilege escalation as much as basic access. They run with your user privileges only, which gives them complete access to your data.

    If privilege escalation was the primary issue in Firefox, you would see everyone's linux system not protected by AppArmor infected with viruses, Windows-style. You don't see that because that kind of exploit is not common in Linux. What is more common is the weekly vulnerability in Flash that allows 'arbitrary execution of code' - as a user, not root. But as a user it has access to all the data you do as a user, as well as access to the Internet. It does NOT have access to root-protected data - that is where Sandfox comes in. Further, some plugins don't necessarily need to execute arbitrary code - they simply have access to the filesystem.

    Sandfox is not 'app armor', it is more 'user data armor', and the way it builds that armor is by using core Linux commands as root in a fairly simple way. That's why I refer to it as a poor man's sandbox - it just uses very basic tools to create a root-enforced sandbox. The good news is those tools are core Linux commands that have been fairly well security-hardened.

    What does that look like? I am running Firefox right now in a sandbox. If I try to save this page and the save as... dialog opens, many of my folders are simply not there. It looks like someone has erased most of my filesystem, leaving just a few folders to run Firefox. Java, Flash, and other child processes of Firefox see the same thing when they access the filesystem. Many of the folders are just not there. That is what Sandfox does.

    Personally, I like this approach because it uses tools and commands I understand and which are part of the core Linux set, it doesn't drain system resources, it doesn't require any elaborate configuration or bloated libraries, and it's simple, which I think is good in security. Understanding how security works makes for good security. I don't like many convoluted security solutions because for all their complexity they often fail to address the most important things to a PC user.

    At any rate, I'm not selling it - just explaining it as clearly as possible for those who have a use for such a thing. You can also check out the 'How It Works' section on the website which has some further explanations of the details.
    Check out my blog for useful scripts and tips... http://igurublog.wordpress.com

  7. #7
    Join Date
    Nov 2008
    Beans
    16

    Smile Re: Sandfox - A Poor Man's Firefox Sandbox

    Choice is a beautiful thing. One can't make a valid argument against having more choices in a society that pretends to be free. Thanks for giving us a very good choice, Ignorantguru. It may not be as sophisticated and complex as the big ones, but it's easy to understand and it works for the purposes I needed a sandbox for. I will view further criticism of it with extreme scrutiny. Be specific about your criticism... because I'll be watching... Muuuhahahahaaahaaaahaaaaa.

  8. #8
    Join Date
    Feb 2007
    Beans
    206
    Distro
    Kubuntu

    Re: Sandfox - A Poor Man's Firefox Sandbox

    lol My pleasure! Glad it's working well for you.
    Check out my blog for useful scripts and tips... http://igurublog.wordpress.com

  9. #9
    Join Date
    Feb 2007
    Beans
    206
    Distro
    Kubuntu

    Re: Sandfox - A Poor Man's Firefox Sandbox

    Instructions have been added for starting Sandfox automatically at boot. This enables you to have a sandbox already open when the user logs in and starts programs, without the need to enter the root password.

    Also, the default profiles have changed a bit in version 0.9.5. If you would like to see the new defaults, remove your /etc/sandfox folder and Sandfox will recreate the default profiles. If you are using an older firefox profile, it is suggested that you add “bind=/dev/urandom”, as Firefox uses this for security purposes.
    Check out my blog for useful scripts and tips... http://igurublog.wordpress.com

  10. #10
    Join Date
    Nov 2008
    Beans
    16

    Re: Sandfox - A Poor Man's Firefox Sandbox

    Quote Originally Posted by IgnorantGuru View Post
    If you are using an older firefox profile, it is suggested that you add “bind=/dev/urandom”, as Firefox uses this for security purposes.
    Thanks. I did, in fact, notice that when Firefox wouldn't start up and I traced it down using the methods in your readme. Brilliant. When something won't even start because I haven't allowed something it needs, I know it's being properly sandboxed. Also, thanks for the daemon startup. It's exactly what I needed, even though the daemon startup doesn't seem to be working, but it's likely something I'm doing wrong or forgetting.
    Last edited by halfvulcan; February 15th, 2010 at 04:42 AM.

Page 1 of 4 123 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •