Secure Containerized Browser

[elimelech007]

By default Chromium on OpenBSD (not so) recently got OpenBSD’s unveil(2) support. That means that of you run Chromium with --enable-unveil flag then it will be prevented from accessing anything other than the ~/Downloads directory. No such thing on FreeBSD exists. Firefox or Chromium have access to all files user can read – even to your system sshd(8) keys or even worse to your private keys laying in the ~/.ssh dir.

Is it so critical and is it necessary to make a container for the browser? Why does the operating system give such permissions by default?

 

[SirDice]

Why does the operating system give such permissions by default?

Any process that runs in the user's context is able to access everything that user has access to. That's how things work.

 

[jbo@]

Is it so critical and is it necessary to make a container for the browser?

Whatever floats your boat man. There are people that run LibreOffice in a jail. And I don't judge them for that. Ideally we'd run most things in a jail, wouldn't we?

To quote Zirias here:

JFTR, I don't do anything like this. I decided for myself following updates closely is "secure enough" for me.

Security is always a trade-off situation. Find your personal goldilock zone and move on with your life. Whatever that level/threshold is just differs per user.

 

[kpedersen]

That means that of you run Chromium with --enable-unveil flag then it will be prevented from accessing anything other than the ~/Downloads directory.

Actually, this is now default. You need to manually specify to disable unveil on Chromium (running on OpenBSD) these days to access things like the filesystem, webcam, mic, X11 screen share, etc.

I possibly agree with it for a web browser because they are written by very scummy developers. I don't think it is as necessary for other programs (I do use a Jail for libreoffice, mainly to control the terrible sprawl of dependencies ).

 

[Zare]

Any process that runs in the user's context is able to access everything that user has access to. That's how things work.

Unfortunately today "things work" in the sense that user application uses OS's facility to automatically deliver some "security feature" that user has no control of.

If you need to chain down what application running under limited user context can do, that means that user context has not been set in the right way.

Is it so critical and is it necessary to make a container for the browser? Why does the operating system give such permissions by default?

Absolutely no.
The UNIX treats the uid/gid grouping as basic domain of security. If it's accessible under the rights masking system, it's accessible. It is your hypothetical mistake, if you run a piece of software that runs remote code in the same domain with your ssh keys.

 

[jbo@]

Firefox or Chromium have access to all files user can read – even to your system sshd(8) keys or even worse to your private keys laying in the ~/.ssh dir.

Personally, what I do is placing all my sensitive data on an encrypted ZFS dataset and mount that on demand. My SSH keys are also located on that encrypted dataset and I simply have a symlink to ~/.ssh. When opening a web browser I just unmount the dataset and unload the encryption key(s).
Alternatively (or additionally), just make sure that the user/group running your web browser simply doesn't get access to your SSH keys.

No such thing on FreeBSD exists.

Keep in mid that there are reasons was to why we have "so many operating systems to choose from". Each OS/project focuses on different aspects. OpenBSD is well known for their absolutely fabulous strong focus on security. FreeBSD attempts to be more general purpose (personal interpretation) so you get stuff on FreeBSD that you don't get on OpenBSD.
If security is of a major concern on a level that FreeBSD cannot fulfill you're luckily allowed to use OpenBSD in those scenarios

It is your hypothetical mistake, if you run a piece of software that runs remote code in the same domain with your ssh keys.

+1

 

[ralphbsz]

By default Chromium on OpenBSD (not so) recently got OpenBSD’s unveil(2) support. That means that of you run Chromium with --enable-unveil flag then it will be prevented from accessing anything other than the ~/Downloads directory.

Note that this only works if the Chromium source code cooperates, and makes the correct unveil() calls at the correct time. And given how complex the Chromium source code is, are you sure that it does that?

Like everything in security, it comes down to an issue of trust, and of tradeoffs between trust, security, and usability.

Do you trust code that runs in random web pages (using Javascript or Java or whatever programming languages web pages support these days)? Good question. That depends on your environment, what web pages you visit, and whether you know where those pages came from. As an example, on my work computer (where there is quite a bit of valuable information, which should not get leaked), I will not visit a lot of web pages (such as Yandex or Tencent), but I will visit others that I trust more.

Do you trust the web browser itself? Again, that depends on the web browser, and your personal or professional relationship with the people who write that web browser. There's a reason I don't run an open source web browser: I trust the engineers who work for Apple or Google more than random anonymous engineers on the internet.

Do you trust the OS to protect files according to its rules? Here it gets quite easy, and I believe that file systems such as ext2/3/4 or ZFS and operating systems such as the *BSD (including MacOS) implement access control correctly.

 

[unitrunker]

I feel obligated to put this here:

GitHub - valpackett/capsicumizer: Run anything (like full blown GTK apps) under Capsicum

Run anything (like full blown GTK apps) under Capsicum - valpackett/capsicumizer

github.com

 

[Cath O'Deray]

… Firefox … have access to all files user can read …

I don't know about Chromium, but to the best of my knowledge Mozilla Firefox does (at least) prevent extensions from accessing the file system without user intervention. Words to that effect; I don't have a reference handy.

Native messaging - Mozilla | MDN is somewhat different. As far as I know, this is what's used by extensions such as Open With:

 

[pufferbeastie]

Is it so critical and is it necessary to make a container for the browser? Why does the operating system give such permissions by default?

Most *nix including *BSD by default use DAC from the old good days. You may want MAC instead.

Many ways to deal with browsers, depending on what you feel comfortable with and the amount of time/convenience/functionality you're willing to sacrifice for that level of comfort.

You can air gap and only use browsers on a dedicated physical machine that you don't do anything else on and don't connect to the rest of their local network, and that you securely dispose of after each session.

You can run an emulated virtual machine such as Bochs on your host and only run browsers in that.

You can run a virtualized virtual machine such as bhyve on your host and only run browsers in that.

You can rent a virtual desktop in the cloud or rent a VPS or dedicated server and install your own desktop environment or Windows on it. There are also different choices in order to connect to it securely, including only ever run the ssh/vnc/rdp client using a dedicated air gap machine that you securely dispose of after each session.

You can run a container such as a jail on your host and only run browsers in that.

You can set up MAC rules and run the browsers as is.

You can create your own "MAC" by running browsers using a different account and encrypt/lock down folders containing your sensitive data.

etc...

Of course, none of these give you much protection against Google or Facebook or your ISP selling your data for profit. Good luck believing that they put your interest before theirs.

 

[facedebouc]

I am currently running my browser as another user which can't access my files and it's enough security for me.
It's a combination of security/sudo and a startup script in my own bin directory.

$HOME/bin/mybrowser.sh

#!/bin/sh
#
# Run my favourite Web browser under limited user account
# to prevent access to sensitive data.

PATH=/usr/local/bin:/usr/bin:/bin

AUTHUSER=joebrowser
AUTHSTRING=SI:localuser:${AUTHUSER}
AUTHBROWSER=firefox

xhost +${AUTHSTRING} > /dev/null
sudo -n -u ${AUTHUSER} ${AUTHBROWSER}
xhost -${AUTHSTRING} > /dev/null

/usr/local/etc/sudoers

# Allow joe user to run Firefox as joebrowser user
joe  mycomputer=(joebrowser) NOPASSWD: /usr/local/bin/firefox

I added myself to the joebrowser group to access his Download directory.

 

[Cath O'Deray]

A month back I had installed OpenBSD but then I moved back to FreeBSD. While using Firefox under OpenBSD I found that Firefox is completely isolated. I was not able to either upload or download any file to my /home/username. I can do this under Linux using firejail. Can I implement this kind of isolation under FreeBSD ? My goal is to isolate Firefox like OpenBSD leaving only /home/username/Downloads.

I thought first of this:

GitHub - ddowse/jailfox: A BastilleBSD template to run Firefox in a secure containerized environment : freebsd

However:

Bastille jail: no sound in firefox

I have successfully created a jail & installed Firefox inside the jail problem Firefox is completely mute. I can't watch Youtube. How do I enable sound in the jailed Firefox ?

forums.freebsd.org

Earlier:

Do you run Firefox inside a jail ?

When I was using Linux I used a sandbox tool called Firejail. I was using almost all network facing apps inside firejail sandbox. When I tried to find an Firejail alternative for GhostBSD/FreeBSD I found this >> click here. I am at the moment using Firefox without any sandbox. Is that bad for...

forums.freebsd.org

 

[john_rambo]

By default Chromium on OpenBSD (not so) recently got OpenBSD’s unveil(2) support. That means that of you run Chromium with --enable-unveil flag then it will be prevented from accessing anything other than the ~/Downloads directory. No such thing on FreeBSD exists. Firefox or Chromium have access to all files user can read – even to your system sshd(8) keys or even worse to your private keys laying in the ~/.ssh dir.

Is it so critical and is it necessary to make a container for the browser? Why does the operating system give such permissions by default?

I tried OpenBSD some months back and found that Firefox is fully isolated. Not even ~/Downloads is whitelisted. I was trying to upload a file but couldn't. I am paranoid about security so I was quite happy but later I found that OpenBSD offers absolutely zero updates for not only Firefox but all user installed applications. You have no choice but to use that same version of Firefox which that version of OpenBSD has in its repos. They offer updates to the base using syspatch but again no updates for Firefox. In the end you get a super secure base (as per their claim) with a out of date web browser.

I can think of a way to isolate Firefox under FreeBSD but is a bit resource hungry and tiresome. I am thinking of installing FreeBSD inside Virtualbox and using that VM to browse websites that I don't trust.

 

[john_rambo]

grahamperrin
Yes, I did my best some time back but failed in the end.

 

[Cath O'Deray]

OpenBSD: updates​

… zero updates for not only Firefox but all user installed applications …

Maybe some misunderstanding. Please see:

• <https://www.openbsd.org/faq/faq15.html#PkgUpdate>

Beyond that (sorry): I'm not familiar with OpenBSD.

john_rambo, thanks for your insight into other aspects of the OS. (I know that you used it for around six months, however I can't guess when that period ended.)

FreeBSD​

Please, are you still a user? (According to XenForo, the last sight of you was more than three months ago …)

 

[charlie137]

There's a reason I don't run an open source web browser: I trust the engineers who work for Apple or Google more than random anonymous engineers on the internet.

You talking about engineers who allowed senior staff to “deprecate” a damn firewall back in 2020???

 

[getopt]

charlie137
The sentence you cited is a bitter cherry pick. The sentences before must be read too. It is a very personal reasoning as ralphbsz is likely to have some real buddies in these companies. So it is a very personal reasoning.

Although trusting a good known buddy may be a category error as it is the company that is responsible for the product. Trusting Alphabet Inc. or Apple Inc. is another beast. They might have superb quality control, which is in their interest, but customers interests are always different.