Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 35

Thread: Sandfox - A Poor Man's Firefox Sandbox

  1. #21
    Join Date
    Feb 2007
    Beans
    206
    Distro
    Kubuntu

    Re: Sandfox - A Poor Man's Firefox Sandbox

    Quote Originally Posted by halfvulcan View Post
    I think I also had to give it access to /dev/random.
    On Arch at least, this used to cause mount to hang. But I have corrected this in 0.9.6.
    Check out my blog for useful scripts and tips... http://igurublog.wordpress.com

  2. #22
    Join Date
    Dec 2009
    Beans
    121
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: Sandfox - A Poor Man's Firefox Sandbox

    Quote Originally Posted by halfvulcan View Post
    Some of us find ourselves in a situation of having to use certain communications software because friends and family use it. We don't have the source code for it, but we use it because we have to. Well, that doesn't mean we have to trust it.
    Could you share instructions on how you sandbox that certain application?

  3. #23
    Join Date
    Nov 2008
    Beans
    17

    Re: Sandfox - A Poor Man's Firefox Sandbox

    The instructions for sandfox on IgnorantGuru's blog page provide a method for creating profiles for applications. There's usually trial and error and some testing involved. I tend to start by looking on the internet for an apparmor profile for whatever application I'm trying to barricade. I'm certainly not a pro with this yet though.
    Last edited by halfvulcan; February 21st, 2010 at 04:21 PM.
    I buntu. U?

  4. #24
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Sandfox - A Poor Man's Firefox Sandbox

    Quote Originally Posted by halfvulcan View Post
    The instructions for sandfox on IgnorantGuru's blog page provide a method for creating profiles for applications. There's usually trial and error and some testing involved. I tend to start by looking on the internet for an apparmor profile for whatever application I'm trying to barricade. I'm certainly not a pro with this yet though.
    +1

    IgnorantGuru's Sandbox has rather uniques goals and is extremely limited compared to either selinux or apparmor.

    No offense intended, but IgnorantGuru has a healthy mistrust of both selinux and apparmor.

    So while this sandbox may work for IgnorantGuru, for anyone else, be sure you understand the limitations and alternates, in particular Apparmor or Selinux, before you dive into this technique.

    Again, no offense to IgnorantGuru's, it is a nice technique and s/he spent a ton of time on this, but we are talking security here and I am simply stating what should be obvious, do not blindly follow this technique without evaluating it fully, including the advantages and disadvantage as well as the alternatives.

    As I have stated earlier, I trust the integrity of my system to Apparmor and this sandbox, IMO, would be relatively easy to break out of if there is a security flaw with the underlying application.

    This technique may isolate a user form his or her self, but offers very little, if any, protection of system files and similar results can be obtained, IMO, either using the guest account or creating a limited account for daily use.

    Again, no offense to IgnorantGuru or anyone who finds this technique helpful, just understand the limitations before you follow it.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  5. #25
    Join Date
    Feb 2007
    Beans
    206
    Distro
    Kubuntu

    Re: Sandfox - A Poor Man's Firefox Sandbox

    Sandfox has reached version 1.0.0, meaning it has proved itself stable. Actually after running it for months I’ve had great results with it. The only change in this version is that /dev/urandom is now treated like /dev/random – both are not remounted to prevent mount hanging on some systems (one user reported having a problem with a /dev/urandom mount hanging).

    As far as a security record at this point, Sandfox has been downloaded many hundreds of times - it has become the second most popular download on the site, and has been discussed here, on the Arch Linux forums, and elsewhere. Thus far no one has demonstrated any exploits nor raised any substantiated security problem.

    http://igurublog.wordpress.com/downl...cript-sandfox/
    Check out my blog for useful scripts and tips... http://igurublog.wordpress.com

  6. #26
    Join Date
    Jun 2010
    Beans
    111
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: Sandfox - A Poor Man's Firefox Sandbox

    Please, vote

  7. #27
    Join Date
    Feb 2007
    Beans
    206
    Distro
    Kubuntu

    Re: Sandfox - A Poor Man's Firefox Sandbox

    I also voted for your other idea re the firewall - that is sorely needed in Linux and has been for awhile.

    In the easy to use department, sandfox does make it as simple as "sandfox firefox" or "sandfox skype", although there aren't any provided profiles for the other programs you mentioned.
    Check out my blog for useful scripts and tips... http://igurublog.wordpress.com

  8. #28
    Join Date
    Jun 2010
    Beans
    111
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: Sandfox - A Poor Man's Firefox Sandbox

    Thank you. And thank you for sharing your work.
    Actually idea #26902: ref. firewall is not my idea but I voted for it too.
    I hope idea of sandboxing applications becomes popular. I'd be happy if there was a kind of GUI application control center allowing to control security issues in Ubuntu, including sandboxing. Actually there are 'ideas' about it
    Idea #1282: Security and stability centre
    http://brainstorm.ubuntu.com/idea/1282/
    Idea #19648: Security Center
    http://brainstorm.ubuntu.com/idea/19648/
    and discussion:
    https://lists.ubuntu.com/archives/ub...l/subject.html

    But I'm a total newbie and I can only vote. I hope developers take into account public requests.

  9. #29
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Sandfox - A Poor Man's Firefox Sandbox

    FYI: As I mentioned earlier ...

    1. Apparmor provides most of not all of this functionality in Ubuntu.

    IMHO I think you would be much better off learning apparmor and/or writing refining the various apparmor profiles.

    2. Fedora has been working of a sandbox confined by selinux since Fedora 12.

    Here is but one example:

    http://www.bress.net/blog/archives/1...th-Fedora.html

    So again I think it is best to join / contribute to existing projects and personally I would trust apparmor, selinux, openvz, LXC, pax/grsecurity far more then this project.

    If you wish to use Ubuntu, much of what you are wanting already exists with apparmor.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  10. #30
    Join Date
    Sep 2006
    Location
    Huddersfield
    Beans
    85
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Sandfox - A Poor Man's Firefox Sandbox

    I like this Sandfox idea. I'm not a newby, but I'm not that conversant with configuration-file handling/editing, permissions, etc. This is what Apparmor & SELinux aren't, that is, easy to use.

    Simple and comparatively robust security is the answer to most users questions in this area. I think Sandfox gives me a tool that is within my competence of using bash.

    Having said that, if Apparmor & SELinux came with a comprehensive GUI, I would be using one of those. Point & click has to be the way to enable general users to feel confident when dealing with security.

    Apparmor is probably the best GNU/Linux SOHO solution, but when, say, your're running a small business, who's got the time to mess with it, especially when your not sure of what's needed. SELinux or Bastille seem even more complicated. They are techhead solutions, not general users tools. The Sandfox idea is closer to the general users competence than the alternatives.
    Last edited by archolman; March 18th, 2011 at 06:26 AM.
    Peace, love & The Archers!
    WinXPHome-SP3 DAW/ Ubuntu 10.04.2LTS Surf&BOINC,
    on
    AMD Athlon64, 2GbRAM

Page 3 of 4 FirstFirst 1234 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •