Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Question on private-bin & Hyperlinking #3308

Closed
svc88 opened this issue Mar 30, 2020 · 17 comments
Closed

Question on private-bin & Hyperlinking #3308

svc88 opened this issue Mar 30, 2020 · 17 comments
Labels
information_old (Deprecated; use "doc-todo" or "needinfo" instead) Information was/is required

Comments

@svc88
Copy link

svc88 commented Mar 30, 2020

Im experimenting with QuiteRSS and if i use the default profile as is, i am unable to open links in Firefox.
If i
A: comment out private-bin quiterss from quiterss.profile
or
B: run quiterss with --ignore=private-bin
Then I am able to open the links in Firefox.

What is the significance ignoring private-bin and hyperlinks working after that?
What does private-bin actually do?
Why is this happening?
I know you will tell me that to be safe, its better to copy and paste the link, but some apps such as QuiteRSS convenience is needed when clicking on 100 links per day. If i run any app with --ignore=private-bin, what security implications are there?
Why did hyperlinking in firejail break after Firefox 67.0 version as per this #2720

Any apps i run with firejail, hyperlinking is broken.

Im sorry i dont know much about private-bin and where the file is because i cannot find it. Is it generated on container creation? There is not much information on this in the wiki.

firejail version: 0.9.62
Xubuntu 18.04

PS: Firefox is NOT firejailed when doing this. New Firefox installation & profile.

@rusty-snake
Copy link
Collaborator

If you set for example private-bin foo,bar,baz this in you profile, then firejail will look if foo, bar and baz exists. Then it creates a tmpfs over /bin, /usr/bin, /sbin, ... and bind-mount all program it has found (vaguely).

Why is that good? It restricts the available program, for example if an attacker can know a vulnerability in quiterss which allows him to execute various shell command but there is no bash, no ls, no curl he can't exploit it.

There is not much information on this in the wiki.

also look at the manpage

If it works with ignore private-bin, it is maybe enough to add firefox (or whatever) to private-bin firejail --private-bin=firefox quiterss.

@rusty-snake rusty-snake added the information_old (Deprecated; use "doc-todo" or "needinfo" instead) Information was/is required label Mar 30, 2020
@svc88
Copy link
Author

svc88 commented Mar 30, 2020

I see, thanks for the clarification @rusty-snake

I did try with
private-bin quiterss,firefox
i even tried with
private-bin quiterss,firefox,xdg-open,exo-open
and it wont open the hyperlinks.
Is there any other other executable it uses for hyperlinks? There is no error in the log im generating.

Could you try reproduce?

@rusty-snake
Copy link
Collaborator

start quiterss with this and open a link firejail --build quiterss | grep private-bin

@svc88
Copy link
Author

svc88 commented Mar 30, 2020

2020-03-30
I see that executable for firefox is a link to a firefox.sh file.
Do you think maybe thats why theres an issue?

@rusty-snake
Copy link
Collaborator

firefox.sh will need a shell

@svc88
Copy link
Author

svc88 commented Mar 30, 2020

firejail --build quiterss | grep private-bin

This opens links now but i dont see any output in terminal or in a generated log file.

firefox.sh will need a shell

I used:
private-bin quiterss,sh,firefox.sh,bash,firefox
Still wont open links

@rusty-snake
Copy link
Collaborator

no output? ok, then try firejail --build firefox | grep private-bin.

@svc88
Copy link
Author

svc88 commented Mar 30, 2020

firejail --build firefox | grep private-bin
Sandbox: SandboxReporter: packet too short (32 < 88)
Sandbox: SandboxReporter: packet too short (33 < 88)
Sandbox: SandboxReporter: packet too short (33 < 88)
Sandbox: SandboxReporter: packet too short (33 < 88)
Sandbox: SandboxReporter: packet too short (33 < 88)

And i tried in a different terminal with opening a link:
firejail --build quiterss | grep private-bin
no output

@svc88
Copy link
Author

svc88 commented Mar 30, 2020

So now i got this:
Error: cannot open whitelist-common.inc
when closing QuiteRSS after that in terminal

@rusty-snake
Copy link
Collaborator

ok then run firejail --trace=quiterss.trace quiterss and after that grep -oE " /usr/bin//?[^/:]+" quiterss.trace | sort -u.

alternative go trough firefox.sh and select every program.

@svc88
Copy link
Author

svc88 commented Mar 30, 2020

Thanks @rusty-snake
ok so i went into firefox.sh and literally used every single executable: export, exec, exit, break, etc

It came down to it needing only the following to make hyperlinks work again:
private-bin quiterss,firefox,sh,which

All the other executables that were not included, does that mean the firefox.sh wouldnt run entirely correctly if i leave them out and only use firefox,sh,which ?

@rusty-snake
Copy link
Collaborator

export, exec, exit, break,

thats are all shell builtins, I downloaded the firefox.deb for ubuntu and came to this: sh,which,readlink,dirname,sed,basename,gdb,valgrind
sed is only used for the usage output and basename,gdb,valgrind only for debugging. for readlink and dirname I'm not sure, but if you see no warnings in the terminal it should be ok. I the worst case firefox can't start.

@svc88
Copy link
Author

svc88 commented Mar 30, 2020

Well i never start firefox by opening a link from quiterss. So only when firefox is already open will i open a link and it seems to open the tab fine so far.
Just wondering (because a system installation of firefox is using a stupid shell script to run and not just its executable) can i use the portable version https://ftp.mozilla.org/pub/firefox/releases/74.0/linux-x86_64/en-GB/firefox-74.0.tar.bz2 with firejail, do you think its safer to use that without sh,which, etc. ?

@rusty-snake
Copy link
Collaborator

fedora and arch are also using shell script to start firefox.

can i use the portable version https://ftp.mozilla.org/pub/firefox/releases/74.0/linux-x86_64/en-GB/firefox-74.0.tar.bz2 with firejail,

you mean like this https://github.com/netblue30/firejail/wiki/Sandboxing-Binary-Software#mozilla-firefox-opt-install

do you think its safer to use that without sh,which, etc.

for quiterss yes, because there is no shell
for firefox no, because mozillas binarys have no PIE.

@rusty-snake
Copy link
Collaborator

I'm closing here due to inactivity, please fell free to reopen if you have more questions.

@gasull
Copy link

gasull commented Nov 15, 2021

The suggested solutions didn't work for me on Debian 11. For anybody landing here, this is what I put in my ~/.config/firejail/quiterss.profile:

ignore private-bin
ignore blacklist ${PATH}/dash
ignore blacklist ${PATH}/sh
include /etc/firejail/quiterss.profile

@rusty-snake
Copy link
Collaborator

~/.config/firejail/quiterss.profile:

ignore private-bin
ignore blacklist ${PATH}/dash
ignore blacklist ${PATH}/sh
include /etc/firejail/quiterss.profile

The prettier way: ~/.config/firejail/quiterss.local

ignore private-bin       <--- maybe private-bin foo,bar works too
include allow-bin-sh.inc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
information_old (Deprecated; use "doc-todo" or "needinfo" instead) Information was/is required
Projects
None yet
Development

No branches or pull requests

3 participants