You are not logged in.

#1 2011-03-17 08:39:36

pablokal
Administrator
From: Nijmegen, Holland
Registered: 2010-10-12
Posts: 3,596
Website

Run firefox in a sandbox for more security

Why run Firefox or other programs in a sandbox? In the Firefox example, there are many components running: Java, Flash, and third-party plugins. All of these can open vulnerabilities due to bugs and malicious code; under certain circumstances these components can run anything on your computer and can access, modify, and delete your files. It's nice to know that when such vulnerabilities are exploited, these components can only see and access a limited subset of your files.

For example, to build a sandbox for Firefox and start Firefox running in the sandbox, close all running windows of Firefox, then:

sudo sandfox firefox

Sandfox has a default profile for Firefox, so it will automatically load that profile. The profile tells Sandfox how to build a sandbox which provides the system and user folders that Firefox requires. (For full functionality of your version of Firefox, you may want to edit this profile to add more folders and files. The profile is stored in /etc/sandfox/firefox.profile.

Installation

On Arch Linux, you can install Sandfox using the AUR or "packer -S sandfox". (The PKGBUILD will always download and build the latest version.)

Before running Sandfox, install required packages using your package manager.
On Arch Linux:

pacman -S inotify-tools

More info: http://igurublog.wordpress.com/download … t-sandfox/


Getting your questions answered here at ArchBang Forums
Please! Always give hardware info, if there is a chance that 's relevant: #lspci -vnn
On Arch(bang) and Openbox: http://stillstup.blogspot.com/

Offline

#2 2011-08-17 06:31:29

pablokal
Administrator
From: Nijmegen, Holland
Registered: 2010-10-12
Posts: 3,596
Website

Re: Run firefox in a sandbox for more security

New version of Sandfox available; more info: http://igurublog.wordpress.com/2011/08/ … fox-1-1-0/

Also interesting: Installing Aptosid on the Asus A53E-XN1: http://igurublog.wordpress.com/2011/08/ … -a53e-xn1/


Getting your questions answered here at ArchBang Forums
Please! Always give hardware info, if there is a chance that 's relevant: #lspci -vnn
On Arch(bang) and Openbox: http://stillstup.blogspot.com/

Offline

#3 2011-08-17 19:47:17

ArchVortex
Retired
From: Bali
Registered: 2011-04-01
Posts: 1,464

Re: Run firefox in a sandbox for more security

Thanks for posting this. Will try later today. Great script!!

I read IgnorantGuru's post a few days ago and loaded in Aptosid XFCE on a Debian fanboy friend's new Asus netbook following IG's instructions. Installed Network Manager so my friend can use his usb modem and everything's running smoothly and quickly. Wiil do the same for myself on the weekend when I get a new Asus netbook to play with. And as IG did, I will use LXDE for my desktop.


You have the capacity to learn from mistakes. You'll learn a lot today.
FP:E5F8 7DBA 8128 9ACB 75F7 7279 BE34 AB66 76D9 16DE
KEY ID:76D916DE
Currently running ArchBang / LinuxBBQ / Funtoo (FunBang?) / FreeBSD / SlackBang Current 14.2

Offline

#4 2011-12-04 21:12:05

indosupremacy
Member
Registered: 2011-10-27
Posts: 10

Re: Run firefox in a sandbox for more security

got this error while try to ' sudo sandfox firefox' (firefox already closed)
mount: /mnt/sandfox/firefox/bin is busy
sandfox: Error: bindro mount failed on /mnt/sandfox/firefox/bin
any idea whats wrong ?

Offline

#5 2011-12-05 05:02:46

pablokal
Administrator
From: Nijmegen, Holland
Registered: 2010-10-12
Posts: 3,596
Website

Re: Run firefox in a sandbox for more security

see comment 17 on this page:
http://igurublog.wordpress.com/download … t-sandfox/

He comes with this proposal to add to the initscript /home/user/.xinitrc:

To background the startup of sandfox and create a delay in the init script, you can do something like this:

    ( sleep 10 ; /usr/bin/sandfox --profile firefox --sandbox firefox --user myuser ) &

To check how it is working and what is going on use:

note that many programs, such as Firefox, will write useful error messages to stdout. Normally, Sandfox does not display the stdout messages, but you can tell it to do so by including the "––verbose" option.

Include "––verbose" when you create the sandbox, then leave that shell open and check it for messages. Even if you start additional sandboxed programs from another shell, their stdout messages may be displayed in the original shell that created the sandbox. (This is because when Sandfox is run without root, it uses a daemon to start programs inside the sandbox.)

For example, with no sandbox open*, create an initial sandbox with:

sudo sandfox --verbose firefox

Leave that shell window open. You may see some messages from Firefox in it. Now close Firefox, and open a second shell window. As a normal user run:

sandfox firefox

Firefox should start again (running in the sandbox). Any stdout messages will appear in the first shell window.

* How to close all sandboxes:

When you are done with the sandbox, close all programs running in the sandbox, then run

sudo sandfox --closeall

A nice way to test the sandbox is to try and save a file to a directory that is not in the sandbox:
it won't work, the wall in action.
If you are clever you only use one folder for that purpose, to save files from firefox.


Getting your questions answered here at ArchBang Forums
Please! Always give hardware info, if there is a chance that 's relevant: #lspci -vnn
On Arch(bang) and Openbox: http://stillstup.blogspot.com/

Offline

#6 2011-12-05 19:24:14

Kruppt
Moderator
From: Blue Ridge Mountains, NC
Registered: 2010-12-20
Posts: 299

Re: Run firefox in a sandbox for more security

Another method of running SandFox (be sure it is installed via packer -S sandfox)

sudo /bin/bash
touch /etc/rc.d/sandfox
pcmanfm &

Drill along path /etc/rc.d/sandfox in pcmanfm file manager and open the sandfox file in a GUI text editor.
Copy below text which resides in the below code box and paste it into the /etc/rc.d/sandfox file.
Edit "sandfoxuser=" line to equal your username. Save changes to file.

#!/bin/bash
# Sandfox boot startup script for Arch Linux
#Edit the values of the sandfoxuser, sandfoxprofile, and sandfoxbin variables at the top. sandfoxuser is the normal user who will be running programs in the sandbox, sandfoxprofile is the profile name from /etc/sandfox to create the sandbox, and sandfoxbin is the location of the sandfox script on your system. Feel free to customize the above startup script with additional profiles or have it run sandfox multiple times to create multiple sandboxes.
sandfoxuser=Your_User
sandfoxprofile=firefox
sandfoxbin=/usr/bin/sandfox

. /etc/rc.conf
. /etc/rc.d/functions

start() {
	stat_busy "Starting Sandfox"
	$sandfoxbin --profile $sandfoxprofile --user $sandfoxuser
	if [ $? -gt 0 ]; then
		stat_fail
	else
		add_daemon sandfox
		stat_done
	fi
}

stop() {
	stat_busy "Stopping Sandfox"
	$sandfoxbin --closeall --user $sandfoxuser
	if [ $? -gt 0 ]; then
		stat_fail
	else
		rm_daemon sandfox
		stat_done
	fi
}

case "$1" in
	start)
		start
		;;
	stop)
		stop
		;;
	restart)
		stop
		sleep 3
		start
		;;
	*)
		echo "Usage: $0 {start|stop|restart}"
esac
exit 0

Using same pcmanfm file manager instance, drill to your /etc/rc.conf file
and open it with GUI text editor. Look for the DAEMONS=() line in file and add "sandfox" to it.
(Be sure to add it before your login manager which should be last if you are starting login manager as a daemon).
Save changes to file.

EXAMPLEs:
DAEMONS=(dbus hal guarddog syslog-ng @wicd @alsa cupsd lp anacrond tor privoxy webwasher timidity++ sandfox)
DAEMONS=(dbus hal guarddog syslog-ng @wicd @alsa cupsd lp anacrond tor privoxy webwasher timidity++ sandfox @kdm)

Sandfox will be started every time you boot computer and log in as choosen user, and will be shutdown upon shutting down computer.

Sandfox can be started, restarted or stopped at anytime running these below commands from root term/console:

rc.d start sandfox
rc.d restart sandfox
rc.d stop sandfox

Offline

#7 2011-12-06 01:29:54

Mr Green
Administrator
Registered: 2010-11-07
Posts: 6,694

Re: Run firefox in a sandbox for more security

Would be handy to have this daemon added to Aur package


Comments, suggestions, donations please feel free to contact me mrgreen(at)archbang(dot)org

Offline

#8 2011-12-06 11:19:10

Kruppt
Moderator
From: Blue Ridge Mountains, NC
Registered: 2010-12-20
Posts: 299

Re: Run firefox in a sandbox for more security

Mr Green wrote:

Would be handy to have this daemon added to Aur package

I think I found this daemon script on IgnorantGuru's blog/website .....I think.
He is the code guru for sandfox script and the sandfox daemon script above.
He is the one who manages/provides the Arch AUR package also.

Offline

#9 2013-10-09 09:34:22

throne777
Member
From: UK
Registered: 2013-10-08
Posts: 11

Re: Run firefox in a sandbox for more security

How much of a performance hit will you take running Firefox in a sandbox?


'All we ever were, just zeroes and ones'

Offline

#10 2013-10-09 12:33:24

pablokal
Administrator
From: Nijmegen, Holland
Registered: 2010-10-12
Posts: 3,596
Website

Re: Run firefox in a sandbox for more security

Just try it and of course depending on your system you will not or hardly notice the difference.


Getting your questions answered here at ArchBang Forums
Please! Always give hardware info, if there is a chance that 's relevant: #lspci -vnn
On Arch(bang) and Openbox: http://stillstup.blogspot.com/

Offline

#11 2015-01-22 07:24:19

alexch
Member
Registered: 2015-01-22
Posts: 1

Re: Run firefox in a sandbox for more security

Could somebody explain, please, how to provide sandbox autostart(stop) with systemd?

Offline

#12 2015-01-22 09:55:47

pablokal
Administrator
From: Nijmegen, Holland
Registered: 2010-10-12
Posts: 3,596
Website

Re: Run firefox in a sandbox for more security

I don't autostart sandfox so I have no experience doing it but found this: http://0x32202.tumblr.com/

Howto add Sandfox to Systemd on Archlinux

I’m using Sandfox for a while, and wanted to load the service when my box is booting. Since Archlinux doesn’t support rc.d anymore the instruction here http://igurublog.wordpress.com/download … x/#install is kind of outdated. I was trying to find another instruction on how to add Sandfox to Systemd, but ended up reading a whole forum list and still didn’t have the solution. Well here it is:


# 1

Create a file /etc/systemd/system/sandfox.service and paste the following code in it. Notice! You’ll have to change the username


[Unit]
Description=Sandfox


[Service]
Type=forking
ExecStart=/usr/bin/sandfox —verbose —profile=firefox —user=YOURUSER
ExecStop=/usr/bin/sandfox —closeall


[Install]
WantedBy=multi-user.target


#2

to start the service enter “sudo systemctl start sandfox”
(at start sandfox creates /mnt/sandfox/firefox)


to enable the service on boot enter “sudo systemctl enable sandfox”


to stop the service enter “sudo systemctl stop sandfox”
(make sure firefox and all sanboxed applications are closed. At stop the created /mnt/sandfox/firefox will be removed)


to remove the service enter “sudo systemctl disable sandfox”


to check the status of the service enter “sudo systemctl status sandfox” or “sandfox —status”


#3

Start Firefox sandboxed enter “sandfox firefox”


# Hint

Since I use a lot of keyboard shortcuts i added “sandfox firefox” to a shortcut. It looks like this “bindsym $ALT+w exec sandfox firefox” This way Firefox is always started in a sandbox.

You only have to add " sandfox  firefox  &" to autostart with a delay of say 45 seconds, haven't tested this.


Getting your questions answered here at ArchBang Forums
Please! Always give hardware info, if there is a chance that 's relevant: #lspci -vnn
On Arch(bang) and Openbox: http://stillstup.blogspot.com/

Offline

Board footer

Powered by FluxBB