Linux as replacement for XP

Discussion in 'all things UNIX' started by Windows_Security, Oct 18, 2014.

  1. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    This is not necessary or, better said, suboptimal as, e.g., Chrome started by another application would not be firejailed. Rather execute

    sudo firecfg

    This will create symbolic links for your applications to firejail in /usr/local/bin -> symlink invocation.
     
  2. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    But aren't they requiring a higher version number than what is currently on Linux?
     
  3. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    No, see, e.g., this release note. You'll see the version numbers at the bottom of that site. The thing is that the Linux version doesn't get new features but still security fixes.
     
  4. That is what I like about Linux, a lot of people helping you out with directions. Only it is explained in insiders lingo. Could you help me an outsider (my nickname is Windows_Security, not Linux_Security) with an example to start Chromium firejailed?

    Would this be the sequence of Terminal Commands?

    $ which -a chromium-browser-gtk
    /usr/bin/chromium-browser-gtk

    $ sudo ln -s /usr/bin/firejail /usr/local/bin/chromium-browser-gtk

    $ which -a chromium-browser-gtk
    /usr/local/bin/chromium-browser-gtk
    /usr/bin/chromium-browser-gtk

    How do you start Chromium fire jailed?
    By just creating a shortcut/starter "chromium-browser %U"?

    Thanks
     
    Last edited by a moderator: Jul 18, 2016
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    The sysmlinks method posted by summerheat works. You can also go to Properties->Desktop Entry->Command of the chromium shortcut and place it in there. I use, for example:

    Code:
    firejail  --caps.keep=sys_chroot,sys_admin,sys_time,sys_tty_config,wake_alarm --dns=8.8.8.8 --dns=8.8.4.4 chromium-browser %U
    Of course you can go very simple with, for example:

    Code:
    firejail chromium-browser
    ...if you wanted to. Also you can use these commands from the terminal.
     
    Last edited: Jul 18, 2016
  6. I use
    Code:
    firejail chromium-browser
    but Summerheat said that Chrome won't start firejailed

    But Wat0114 post this is ok
    Now I am confused :confused:
     
  7. Anyone knows why Thomas (TLU) status is depreciated to guest?
     
  8. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    No idea but I noticed that tlu was a "guest" at least a year ago.
     
  9. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Not with all functions enabled. I don't use Chrome or Chromium, but I'm sure you can use them with Firejail if you don't block a few syscalls and/or disable seccomp or something like that. There's more info on the Firejail thread here on WS.
     
  10. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Don't worry - it's actually rather easy ;)

    What wat0114 suggested is correct. However, if you add firejail to the chromium shortcut and chromium would be started by clicking a url in another application, this would mean that chromium would not be firejailed as that shortcut or starter would not be used. Rather, the system looks in the $PATH in order to find chromium. Just execute

    Code:
    echo $PATH
    to find the path entries on your system. You'll notice that /usr/local/bin (and possibly /usr/local/sbin - but that differs from distro to distro) are positioned before all other locations, in particular /usr/bin. Now, if you simply execute

    Code:
    sudo firecfg
    it will create symbolic links in /usr/local/bin for those installed applications for which profiles exist in /etc/firejail. Just execute

    Code:
    sudo firecfg --list
    to see which symbolic links were created - or simply navigate to /usr/local/bin in your file manager. You'll see that those symbolic links all point to /usr/bin/firejail. But as /usr/local/bin is your first position in the $PATH this means that chromium would be started firejailed. The firejail entry in the shortcut is therefore unnecessary. This works reliably as long as the other application doesn't use the absolute path to your browser, i.e. /usr/bin/chromium, in its settings. In most cases it doesn't.

    2 suggestions:
    1. If you want to add more switches as wat0114 suggested, I would create the folder ~/.config/firejail and create the file chromium-browser.profile therein. It would look like this:
    Code:
    include /etc/firejail/chromium.profile
    caps.keep sys_chroot,sys_admin,sys_time,sys_tty_config,wake_alarm
    dns 8.8.8.8
    dns 8.8.4.4
    Profiles in ~/.config/firejail take precedence over profiles in /etc/firejail.

    2. If you create own profiles in ~/.config/firejail for other applications not yet included in /etc/firejail, executing sudo firecfg wouldn't add a symlink to /usr/local/bin. You would have to execute
    Code:
    sudo ln -s /usr/bin/firejail /usr/local/bin/your_application
    I hope this clarifies things :)
     
  11. @summerheat that does not work

    When I enter "sudo firecfg" it retuns "command not found"

    Note:

    I understand the logic of writing manuals for insiders. It saves a lot of time and prevents people without enough IT knowledge to mess up their system. Only linux geeks top this principe

    I wrestled through some documentation, I will update my post
     
    Last edited by a moderator: Jul 20, 2016
  12. Xubuntu as XP replacement (Zorin was first, Lubuntu with XP skin second, Xubuntu third try)

    Personalisation
    1. Changing desktop background with a oicture is easier when using right click on the picture, for wall papers use the desktop appearance applet.
    2. Before you can move the taskbar to the bottem, you have to unlock it and grab it on the sides (left or right) otherwise it flies back.
    3. Changed the taskbar background to bleu-ish solid color to resemble Win7 a little.
    4. Appearance selected Greybird style, with elementary Xfce icons
    5. Choose Doloa as style in Windows (looks) manager
    6. In (theme) configuration I enabled altenative taskbar colour (set to blue also)
    Installing essentials for mailreader and webbrowser
    • Update language packs
    • Enable updates from Canonical-partners in Software & Updates
    • Install Chromium from the build in Software (manager)
    • Install flash through terminal command (sudo apt-get install adobe-flashplugin)
    • Install firejail through terminal command (sudo apt-get install firejail)
    • Configure Chrome privacy & security
      - disable all Chrome services except Safe browsing
      - allow session cookies only, block third party cookies, request do not track
      - flags #disable-hyperlink-auditing #reduced-referrer-granularity
      - extensions: WebRTC leak prevent, CanvasFingerPrintBlock, Avast Online security
      - flags: #enable-permission-blacklist, #extension-content-verification (strict)
    Installing other software
    • Wine to install a typical Dutch cards game (Klaverjassen which my senior relatives like).
    • Games: Hearts, Kpatience (sudo apt-get install kpat) and (tuxkarts for their grand-grandchildren)
    • Grub editor to make Windows the default OS and start after 5 seconds (but that is only for my setup).

    Using firejail
    • Thunderbird
      Change shortcut / starter of Thunderbird from "thunderbird %U" to "firejail thunderbird %U".
      Cavat: running Thunderbird firejailed, disables links to websites. I did not found an easy solution for it.

    • Chromium-browser
      There is a trick to start firejail in stead of chromium-browser. It is called symbolic links. Run all these commands in Terminal
      Code:
      sudo ln -s /usr/bin/firejail /usr/local/bin/chromium-browser
      sudo which -a chromium-browser  /usr/local/bin/chromium-browser /usr/bin/chromium-browser
      
      You can check whether this works by sending yourself an email with a link of a website. Open in in Thunderbird not firejailed. Open terminal command and enter firejail --list (nothing should be seen). Click on the link (Chromium should start) and repeat terminal command firejail --list (now you should active sandboxes)
     
    Last edited by a moderator: Jul 20, 2016
  13. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    You really don't need to create shortcuts if you want to edit the applications so that they start with Firejail. I don't remember exactly how to do it, but you just open the "Start Menu", then click "Run Program", then you'll see a down arrow, click on it. Now all your programs will appear. Right-Click on one and click "Edit". There you go :D This is the most window-sy way of doing it.
     
  14. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Oops - so it seems that you're still running an old version of Firejail. firecfg was introduced with v. 0.9.40.
     
  15. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Did he install Xubuntu 15.10? Or 16.04?

    EDIT: Oh, nevermind. 16.04 still has version 0.38.
     
  16. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Or create a symlink like you did for chromium-browser.
    It works for me with Firefox. Note that the thunderbird.profile contains
    Code:
    include /etc/firejail/firefox.profile
    Perhaps adding
    Code:
    include /etc/firejail/chromium-browser.profile
    helps.
     
  17. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Thanks - that explains it!
     
  18. It works now (firejail --list proves it). Problem with don remember exactly is that the computer will say no :D
     
    Last edited by a moderator: Jul 20, 2016
  19. Will wait for the firejail update, so firecfg becomes available on Xubuntu 16.

    Thanks for your suggestion, will try that later
     
    Last edited by a moderator: Jul 20, 2016
  20. Okay, including /etc/firejail/chromium-browser.profile removes access rights also, so Thunderbird has no access to its own profile, so that does not work.

    TLU has given some directions, but these are to much "Linux geek" for a Windows user.

     
  21. More sandboxing using AppArmor, again could not Thunderbird getting to work, but AppArmor contains a default Chromium-browser profile.

    Open up Terminal and enter

    Code:
    sudo apt-get install apparmor-utils
    
    sudo apt install apparmor-profiles
    
    sudo systemctl reload apparmor.service
    
    sudo aa-enforce /etc/apparmor.d/usr.bin.chromium-browser
    
    
    When you enter (in terminal)

    Code:
    sudo apparmor_status
    
    It should show that chromium is profile is enfored
    upload_2016-7-24_17-45-20.png

    Overall not bad for a total noob on Linux to add a two sandboxes to Chromiumś internal sandbox.

    I did just for fun, no idea whether this actually increases Chrome protection, my guess is that those different sandboxes all use kernel stuff, so kernel exploits would still be the achilles of this tripple sandbox.
     
    Last edited by a moderator: Jul 25, 2016
  22. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Yes, true. However, the Chrome sandbox and Firejail use seccomp-bpf. It filters system calls which in turn reduces the attack surface of the kernel. More info here. AFAIK, there is nothing similar available for Windows. Please correct me if I'm wrong.
     
  23. Well on windows you can use about://flags to obtain additional attack surface reduction

    Enable PPAPI Win32k Lockdown #enable-ppapi-win32k-lockdown (disables access for PPAPI plugins to win32K)
    Enable AppContainer Lockdown #enable-appcontainer (enables windows build in Sandbox)

    But it is not the same.
     
  24. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,713
    Location:
    George, S.Africa
    When you launch a firejailed thunderbird it runs in a single sandbox with two processes.
    Click on a link in thunderbird and in my case firefox launches and runs as another process inside the sandbox.

    ocky@ocky-desktop:~$ firejail --tree
    3049:eek:cky:/usr/bin/firejail thunderbird
    3050:eek:cky:/usr/bin/firejail thunderbird
    3061:eek:cky:/usr/lib/thunderbird/thunderbird
    3238:eek:cky:/usr/lib/firefox/firefox http://www.moneyweb.co.za/moneyweb-opinion/soapbox/

    You can also check this with sudo firemon which is to be started before running thunderbird. Once thunderbird is launched the terminal
    will start filling.

    Regards
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.