[svlug] Restricting privileges

Sarah Newman newmans at sonic.net
Wed Jan 14 17:19:26 PST 2015


So, hopefully most of you have seen the advisory about the updates for firefox allowing arbitrary
code execution. Other than or in addition to running firefox as a different user, I'm wondering
about further mechanisms for restricting access as running firefox in a full-blown VM is not
necessarily feasible for video intensive operations.

One method is to white-list processes that a given process tree can execute. I found
https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt but this is not meant to be called
by an end user.

So, I poked around and found that apparmor is probably the right way to do this. apparmor is
file/program based rights as opposed to user based rights, though it looks like the "ix" (inherit
apparmor profile on execute) might be able to help with user based restrictions if particular users
always start by running a particular program, see
http://manpages.ubuntu.com/manpages/trusty/man5/apparmor.d.5.html

To enable apparmor under ubuntu you need to do
update-rc.d apparmor enable
service apparmor start

Then for firefox specifically
cd /etc/apparmor.d
cp usr.bin.firefox usr.lib.firefox.firefox

Edit

/usr/lib/firefox/firefox{,*[^s][^h]} {

to be

/usr/lib/firefox/firefox {

(see https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1364305)

then run

aa-enforce /usr/lib/firefox/firefox

You can test whether apparmor is working by changing the '  / r,' line to ' deny  / r,' , re-running
aa-enforce, and going to "file:///"

For running firefox as a different user (improvements welcome)

1. To startup applications, add xhost +SI:localuser:firefox
2. useradd -m firefox
3. usermod -s /bin/false firefox
4. sudo cp -r ~/.mozilla ~firefox
5. chown -R firefox:firefox ~firefox/.mozilla
6. From visudo -f /etc/sudoers.d/firefox:
$USER ALL=(firefox) NOPASSWD:/usr/lib/firefox/firefox firefox -ProfileManager -no-remote
7. Edit firefox menu entry to be:
sudo -Hufirefox /usr/lib/firefox/firefox firefox -ProfileManager -no-remote

Regards, Sarah



More information about the svlug mailing list