Fox in a box (chroot Firefox)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Has anyone chrooted Firefox? Any success or horror stories?

Using kde. I presume that the best way to do this is to replace the
usr/bin/firefox script with a link to the jail that contains copies of
all of the various other scripts and links; and that I should replace
the  home/usr/.mozilla librarywith a soft link to .mozilla in the same

Am guessing that this will be a real effort if one is using JS, mplayer
plugins, etc.!?

Re: Fox in a box (chroot Firefox)

homey.... what are you trying to do anyway? -- chroot a web browser??

the thing is, if you are working with KDE edit the .kdesktop
properties, go to advanced and run 'firefox' as an unprivileged

if the program does not provide a service to others there is no much
sense chrooting programs...

if you need to run a program without privileges do su - $username -c

or edit the icon properties...

so, i think you should define why you are trying to 'chroot' a client

See ya

Re: Fox in a box (chroot Firefox)

Quoted text here. Click to load it

yes..... obviously.

What's with the "homey" insult? You generally mean-spirited? Or simply
rude when confronted with a new idea?

Quoted text here. Click to load it

1. Numerous, recent updates of FF address exploitable weaknesses.
Certainly there are more to come.

2. Plugins (e.g. java, mplayer) and extensions present another
source of potentially badly coded code - which could be overrun
and exploited. Indeed, some plugins are now being targeted.

3. There are an increasing number of browser-oriented exploits,
created by now-professional hackers who have a cash market for the
gleaned information. There is no reason to think that a complex,
multi-platform program such as Firefox becomes immune, simply because
it is running on a Linux OS.

Quoted text here. Click to load it

Good suggestion. FF is already unprevileged. Additionally, KDE
Kwrapper, kdeinit, etc. are all launched by an unprivileged user.

Quoted text here. Click to load it


By connecting to a hostile site, one has established an "allowed",
two-way connection with that entity (as far as the firewalls are
concerned) - much the same as running a server that allows
WAN-initiated connections. I.E. the recognized concern with jailing
"services" refers not strictly to daemons accepting connections, but
rather to any program on your box that allows accessibility and
interaction with the WAN

Just as one should consider putting a less-than-perfect server in a
box, one should consider putting a less-than-perfect browser in a box.

But you obviously disagree with all of the above (and therefor have no
experience with putting Firefox in a jail), so let us agree to disagree
on the need for doing it, and spare other readers here our bickering.

Re: Fox in a box (chroot Firefox)

Rogers, sorry about the homey thing, i did not mean to be rude, in my
town "homey" is like a friend, a dude... i was not trying to upset you

OK, sounds like fun to chroot firefox, but if you run an application as
an unprivileged user there is not too much risk of being taken, you're
right about open connections or established links between hosts.

it would not be that hard, you only to have all needed resources in a
filesystem, other way to reduce problems with processes that could be
hacked is to use /etc/limits, also use proc filesystem... and sysctl

Re: Fox in a box (chroot Firefox)

Quoted text here. Click to load it

Then please let me apologize..... I misunderstood.

Quoted text here. Click to load it

Yes; and I've been working on that as the primary security mechanism -
trying to keep everything at as low a privilege as possible. And as I'm
the only user, I'm pretty safe. Main concerns are with installing
something that's been "tweaked"; or getting trojaned over the web
through an exploit, overrun, etc.

Quoted text here. Click to load it

IIUC, that's how they're getting firewalled ("routered") windows boxes
these days, and I figure that 'nix and macs with similar software will
be added to the group. Have jailed ("hardened" jails with PAX
protection) everything that connects with the WAN (e.g. snort, tor,
httrack, ethereal, etc.), but have not taken on Firefox and
Thunderbird: they seem a big job.

But OTOH, Firefox - especially with Java, JS, and other things - has
got to be the most important potential intruder vector on my box.

Quoted text here. Click to load it

Don't know; I'd guess it includes the browser and X-system, and
potentially some of the kde environment....... which is why I'd hoped
someone else could describe how big it is, or list out his jail :-)

 > other way to reduce problems with processes that could be
Quoted text here. Click to load it

Good advice. Didn't know about limits..... need to figure out how to
use it. I'd think that allowing one instance each of my various,
wan-connected users (e.g. snort) would be a good start.

Also thanks for the sysctl idea. I ran it last night and realized that
my syn cookies had been turned off - don't know how that happened. At
any rate I'm working on a script that'll run that thing and grep the
listing for any changed settings :-)

Re: Fox in a box (chroot Firefox)

a good way to control sysctl settings is to use /etc/sysctl.conf, linux
kernel reads this file on startup to setup customized setting in
/proc/sys, you could check several settings here.

Also take good care about /dev/kmem and /dev/kcore, these "files" are a
source to hack the kernel in linux (luckily you need root id to change
something here) also watch out for infected kernel modules... there is
a patch to /dev/kmem but it is a little bit hard to setup...

if i remember anything else i`ll post it here...

good luck

Re: Fox in a box (chroot Firefox)

these settings would help you out a bit this blocks some malformed ip
packets, some icmp tricky packets... etc etc..


Re: Fox in a box (chroot Firefox)

Quoted text here. Click to load it

Dang!   Good stuff! My "firewall" (firehol) effects some of this, but
I'll hardwire them here as well.

Quoted text here. Click to load it

More good stuff!! Thanks again.

Am running a Grsecurity kernel which protects writes to /dev/mem, kmem,
and port - but no mention of kcore. So kmem is probably covered, but
I'll check the privileges on the other.

Thanks, Mr. Boy!

Re: Fox in a box (chroot Firefox)

Quoted text here. Click to load it

A couple of additional settings worth having...

# Establish better keepalive values
net.ipv4.tcp_keepalive_intvl = 75
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_time = 600

# Control wild ICMP traffic
net.ipv4.icmp_ratelimit = 100
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

Bradley W. Olin                          "do or do not, there is no try" Yoda

Site Timeline