Sandfox - A Poor Man's Firefox Sandbox

[IgnorantGuru]

EDIT: Never mind all that about ps... I thought you meant the user daemon, whereas you mean the init.d script.

[IgnorantGuru]

Thanks. I did, in fact, notice that when Firefox wouldn't start up and I traced it down using the methods in your readme.

Also, if your Firefox required something else to start, please let me know so I can consider including it in the default profile - thanks.

And I still want to see your Skype profile.

[DawieS]

Thanks a lot! This is exactly what I needed.

I like the simplicity of the system. It is also very easy to customize. I have been playing around with it, and I like it a lot! I am sure Firefox runs faster as well.

I am using an updated recent fresh install of Ubuntu 9.10. For some reason I had to add the '.sh' suffix to the various 'sandbox' commands in your script, since I got the 'command not found' error message when I first tried to run as per your script.

Please correct me if I am wrong: If I run Firefox once outside the sandbox, setting up the site preferences, cookies etc. as per that last saved session, will all subsequent sessions have exactly that same 'profile' when run from within the sandbox? Thus all changes are discarded on exit? (Except of course downloaded files properly saved)?

This is great! Thanks again for your fantastic work!

[IgnorantGuru]

Hi - glad it's working well for you.

I am using an updated recent fresh install of Ubuntu 9.10. For some reason I had to add the '.sh' suffix to the various 'sandbox' commands in your script, since I got the 'command not found' error message when I first tried to run as per your script.

When you download the script from the website it's named "sandfox.sh" (due to limitations of the webserver it can't be named "sandfox"). If you install it as "sandfox.sh", then you need to run it with that name. Or you can rename it "sandfox".

Please correct me if I am wrong: If I run Firefox once outside the sandbox, setting up the site preferences, cookies etc. as per that last saved session, will all subsequent sessions have exactly that same 'profile' when run from within the sandbox? Thus all changes are discarded on exit? (Except of course downloaded files properly saved)?

With the default Firefox sandbox profile, your ~/.mozilla folder is read-write accessible from within the sandbox. So any changes you make in Firefox, such as settings, saved sessions, etc., are retained, and will appear the same when you run Firefox outside the sandbox. Both Firefoxes access the same folder.

You can also set it up so changes made inside the sandbox are discarded. In that case you could have sandfox create a disposable copy of your ~/.mozilla folder for the sandboxed Firefox to use, and it will be destroyed on exit.

Note that by default, the copy bind has a 50MB limit, although you can change this in the script to whatever you want (change the value of tmpfslimit in the pre-init section of the script). I plan to raise this default to 100MB in the next update. The copy bind uses tmpfs (RAM), so the 50MB limit is a safety limit to prevent a sandbox from consuming too much RAM.

Since ~/mozilla contains both Firefox settings and the cache, you may want to use two copy binds to give it 50MB + 50MB. For example, add these to /etc/sandfox/firefox.profile...

Code:

copy=/home/$user/.mozilla
copy=/home/$user/.mozilla/firefox/XXXXXX/Cache

where "XXXXX" is your default profile folder in Firefox. (You should also remove the bind=/home/$user/.mozilla from the profile). Or, just raise the tmpfslimit in the script so one copy is large enough to hold your whole .mozilla folder.

Let me know if any of that isn't clear - there are also instructions on the blog on how to use copy. Dealing with sandboxes can get fairly confusing so it's worth testing inside the sandbox to make sure it's behaving as you expect. I've gotten myself mixed up a number of times!


Also, not related to what you wrote, I just want to announce that I made a change to the startup script instructions. One user reported it didn't work with Ubuntu, and I confirmed this. It seems Ubuntu skips some runlevels, perhaps related to upstart. At any rate, I revised the instructions so that links are added to every runlevel, and this appears to work, at least for me.

Thanks for your feedback.

[DZ*]

Simply put, root may protect system files (the least valuable and most easily replaced data on your system)

I don't follow this. It's not data in system programs that's worth protecting, it's their behavior. If my OS makes it easy to covertly replace a remote login program with a custom version that lets someone in, then the fact that reinstall of that program is easy matters very little.

[IgnorantGuru]

I don't follow this. It's not data in system programs that's worth protecting, it's their behavior. If my OS makes it easy to covertly replace a remote login program with a custom version that lets someone in, then the fact that reinstall of that program is easy matters very little.

Yes, those files do need protection, and root does that. Least valuable does not mean non-valuable, it merely means less valuable than other data. Why are you protecting the system files so no one can get in? I would say to protect the more valuable data - which on a PC is the user's data, which is not generic or easily replaced.

That said, obviously if you don't protect system files (and thus system behavior), then you can't protect user files. But protecting system files is not an end in itself, merely the first step. Unfortunately most approaches to security in Linux go to great lengths to protect the system (behavior) but ignore the user's data as if it is unimportant.

Most apps don't need to be able to read or delete all user data, which is where sandboxes come in. IMO this should be a fundamental part of the system rather than an add-on, but Linux itself doesn't give users that level of control.

[DZ*]

I'm thinking what you're doing is nice and I'm not against the idea of sandboxing applications.

What I'm saying is that I don't follow the argument where value of system data is contrasted with value of user data. Data in system files may have close to zero value, yet there needs to be assurance of their integrity for the reasons that have nothing to do with their replaceability.

I don't compare the value of my car with the value of my life when I go to replace faulty brakes. If I did, I'd say hell with the brakes, let the car wreck -- I'll just get a new one.

I doubt that "many devs are thinking that the most valuable data are the system files". It's not data in system files that need protection. It's the advertised behavior of programs that needs to remain as advertised.

[halfvulcan]

For a simple and short explanation of the benefits of a sandbox, I recommend going to sandboxie.com. Right there on his front page. "Trust no program". Some of us find ourselves in a situation of having to use certain communications software because friends and family use it. We don't have the source code for it, but we use it because we have to. Well, that doesn't mean we have to trust it. Block that sucka. Don't let it see or modify more than it needs to do the only thing it's SUPPOSED to be doing.
Also, Firefox may be somewhat trustworthy until you install extensions and plugins. And I don't know about you, but one reason I'm still using Firefox is because of the capabilities and customizability added by extensions, but I sure don't trust them and I don't know how to inspect the code they consist of. This gives me a way of saying "you shall not pass!"

[halfvulcan]

If you are using an older firefox profile, it is suggested that you add “bind=/dev/urandom”, as Firefox uses this for security purposes.

I think I also had to give it access to /dev/random.

[IgnorantGuru]

Sandfox has been updated to 0.9.6. Three changes: Sandfox can now bind /dev/random, which may be necessary for printing in Firefox (my Firefox 3.6 crashes if I select File|Print without it). It is suggested that you add "bind=/dev/random" to your Firefox profile, or delete your profile and Sandfox will recreate it with the new default.

Also, the copy and hide tmpfs size has been raised to 100MB. You can also adjust this yourself by editing the line "tmpfslimit=100M" in the script.

And a user-contributed Skype profile has been added - feedback welcome.

http://igurublog.wordpress.com/downl...cript-sandfox/