Jailing Firefox .....Getting error .... Can't proceed

Four requirements must match to make the script run cleanly:
  1. Execution permission for updater.sh ( chmod 700 updater.sh)
  2. Jails /tmp directory must have write permission for 'others' (updater.sh is creating some temporary files there).
    # chmod 757 /zroot/jails/firefox/root/tmp (or chmod 777)
  3. The jail must be running, start jail 'firefox'.
  4. The script must be executed inside jails chroot environment.
    On host, as root, chroot as user 'firefox', into user 'firefox's home directory, into jail 'firefox':
    # jexec -l -U firefox firefox
Execute script, exit chroot, revoke jails /tmp directory's write permissions ( chmod 755).

Alternatively to point #4, place updater.sh in /zroot/jails/firefox/root/home/firefox/bin, run on host as root
# jexec -U firefox firefox updater.sh. Make sure the permission is set to execute and owner:group is firefox:firefox.
 
T-Daemon
I don't what what went wrong. Now can't even install addons.

Making it read only off has no effect.
Code: 
zfs set readonly=on zroot/jails/firefox/root

At first I thought the mozilla addon server is down but then I launched the Firefox which is installed on the host. I was able to install addons normally.

ksnip_20220227-161831.png
 
john_rambo said:
Making it read only off has no effect.
Code: 
zfs set readonly=on zroot/jails/firefox/root
Click to expand...
Here readonly=on|off has only effect on zroot/jails/firefox/root, not on zroot/jails/firefox/home where the 'firefox' users home resides.

T-Daemon said:
Only the jails root dataset is read only. The jails home dataset and following automatically created directory and sub-directory firefox/Downloads are writable:
Code: 
# zfs get -r readonly zroot/jails/firefox
NAME PROPERTY VALUE SOURCE
zroot/jails/firefox readonly off default
zroot/jails/firefox/home readonly off default
zroot/jails/firefox/root readonly on local
zroot/jails/firefox/tmp readonly off default
zroot/jails/firefox/var readonly off default
Click to expand...

You may have connection, not write permission problems. Check the connection from the jail. Do normal internet pages load?
 
T-Daemon said:
Here readonly=on|off has only effect on zroot/jails/firefox/root, not on zroot/jails/firefox/home where the 'firefox' users home resides.
You may have connection, not write permission problems. Check the connection from the jail. Do normal internet pages load?
Click to expand...
Yes all the pages like Youtube, Facebook, etc are loading fine.
When I try to download any file this happens. So there's definitely some permission issues.

ksnip_20220227-193511.png
 
T-Daemon
I have 3 Firefox profiles. I just found that this permission issue is happening in 2 profiles out of 3. I can install addons on 1 profile as usual.

I tried

Code: 
# jexec -l firefox
Code: 
# chown -R firefox:firefox /usr/home/firefox/

but still cant install addons on download any file on the above mentioned one profile.

I am sure this a simple permission issue.
 
Check the search bit ('x', see chmod(1)) of the directories from the profile in question. chroot(8) to 'firefox' user of jail 'firefox':
Code: 
host # jexec -l -U firefox firefox

jail $ ls -lR .mozilla/firefox/<profile> | grep ^d

All directories of the owner should be drwx.... Sample:
Code: 
drwxr-xr-x  2  firefox  firefox  ...
 
Permissions look good. Was the addon installation and file download issue present from the beginning with those profiles or did it happened after some time?

Not sure what to suggest further, maybe update www/firefox to latest version available from repository and try the following recommendations:

What to do if you can't download or save files | Firefox Help

If you can't download or save files with Firefox, this article explains the steps to take to fix this problem.
support.mozilla.org support.mozilla.org

Unable to install add-ons (extensions or themes) | Firefox Help

This article describes various reasons that would cause an add-on not to be able to be installed and what you can do to fix the issue.
support.mozilla.org support.mozilla.org

In case of addons you could try saving the addon to file (*.xpi, right click on "Add to Firefox" button, save to file), then install from file in about:addons
 
T-Daemon said:
Was the addon installation and file download issue present from the beginning with those profiles or did it happened after some time?
Click to expand...
It happened after sometime. Frankly speaking this is disappointing. Creating this Jail wasn't easy. All credit does to you.
Q) Running Firefox inside a Jail Vs Running Firefox inside a Virtualbox VM ..... Why provides more isolation ?
Host : FreeBSD
VM : FreeBSD / Linux
 
john_rambo said:
Frankly speaking this is disappointing. Creating this Jail wasn't easy.
Click to expand...
It's hard to tell where the problem exactly lies, but the indication that 1 of 3 profiles has no problems, I would say, puts the blame on the Firefox profile, not the jail.

I've tested the jail (in a VirtualBox VM) and have no problems whatsoever regarding saving files and installing addons.

john_rambo said:
Q) Running Firefox inside a Jail Vs Running Firefox inside a Virtualbox VM ..... Why provides more isolation ?
Click to expand...
Looking at the vulnerability lists of both systems, in all good conscious, I can't speak for one system or the other.
VirtualBox:

Oracle Vm Virtualbox : Security vulnerabilities, CVEs

Security vulnerabilities of Oracle Vm Virtualbox : List of vulnerabilities affecting any version of this product
www.cvedetails.com
Search for 'jail':

Freebsd Freebsd : Security vulnerabilities, CVEs

Security vulnerabilities of Freebsd Freebsd : List of vulnerabilities affecting any version of this product
www.cvedetails.com
and recently:

262179 – Prevent jail escaping via shared nullfs; option to disable UNIX domain socket binding

bugs.freebsd.org bugs.freebsd.org

262180 – jail escaping via jail-friendly nullfs

bugs.freebsd.org bugs.freebsd.org
 
T-Daemon said:
Looking at the vulnerability lists of both systems, in all good conscious, I can't speak for one system or the other.
Click to expand...
That's extremely depressing. What's the best way to keep personal data isolated ? So that be it a OS level vulnerability or a browser exploit my personal data is safe ?
 
T-Daemon said:
What kind of personal data?
Click to expand...
By personal data I mean everything that I have stored locally like family photos, songs, videos, my KeePassXC database, etc.

Edit: I just moved the .mozilla folder from the jail to the host's home, ran the update.sh script and then moved it back to the jail. This is not ideal but doable.
 
There is no 100% safety from exploits on computers. You can secure a system as much as you want there will be always a way to circumvent the security.

I'm no expert on this topic, but if I where concerned of the security of personal data, to minimize the surface for exploits, I would full disk encrypt the system to make it inaccessible when the machine is powered down.

When the machine is powered up, I would isolate the personal data in an encrypted container, mount it as necessary.

On FreeBSD geli(8) from system base is available, with OpenZFS encrypted datasets can be created, third party utilities are sysutils/pefs-kmod and security/veracrypt.
 
You must log in or register to reply here.
Back
Top