tag:blogger.com,1999:blog-5232577621384962517.comments2018-05-20T13:58:59.198+02:00Garf's blogGian-Carlo Pascuttohttp://www.blogger.com/profile/14452657281217735802noreply@blogger.comBlogger56125tag:blogger.com,1999:blog-5232577621384962517.post-47484586743481827092018-05-20T13:58:59.198+02:002018-05-20T13:58:59.198+02:00> Of the more popular Linux distros, only Arch ...> Of the more popular Linux distros, only Arch Linux ships with user namespaces entirely disabled<br /><br />We've been shipping them enabled with that very same sysctl patch for a while now.Anonymoushttps://www.blogger.com/profile/05860013177382257017noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-75599755629122890142018-05-14T15:52:48.229+02:002018-05-14T15:52:48.229+02:00No, we don't use any capabilities in the origi...No, we don't use any capabilities in the original namespace. Once it creates a new namespace, the process holds *all* capabilities in the new namespace regardless of what it had outside. Of these, we only require a few, which we drop after the chroot.<br /><br />Some additional security layers (see the comment below), as well as much discussion around user namespaces, talks about restricting the set of capabilities the process would get in a new namespace (so it doesn't get everything, which in *theory* is harmless, but in practice has pointed out kernel bugs). I pointed out what we require to give some guidance to kernel developers and the people making security profiles what could be sensible to allow for a "normal" application like Firefox that wants to sandbox itself.<br /><br />I'll try to reword the text a bit to address the nuance.Gian-Carlo Pascuttohttps://www.blogger.com/profile/14452657281217735802noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-75114708953790871192018-05-12T08:07:10.074+02:002018-05-12T08:07:10.074+02:00OK I understand. You wrote:
"Firefox uses th...OK I understand. You wrote:<br /><br />"Firefox uses the CAP_SYS_CHROOT capability to chroot() the content processes into an empty directory, thereby blocking their view of the real filesystem. Using user namespaces avoids the need to install a setuid root binary to achieve this. "<br /><br />And then:<br /><br />"In this context, we'd like to remark that an application like Firefox only needs CAP_SYS_ADMIN, CAP_SYS_CHROOT, CAP_SET(UG)ID to achieve most effect"<br /><br />One can understand that the main process has all these capabilities. So the correct statement is that firefox uses only CAP_SYS_CHROOT in the main namespace, and then only CAP_SYS_ADMIN, CAP_SET(UG)ID in unprivileged user namespaces.danicehttps://www.blogger.com/profile/05187936694374083463noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-42991882335237898242018-05-11T21:14:59.750+02:002018-05-11T21:14:59.750+02:00I think there's some misunderstanding here. We...I think there's some misunderstanding here. We talk about the capabilities in the context of a user namespace. They're not applied to the Firefox process itself (in the original namespace).<br /><br />Once the content process has used the capabilities inside its own namespace, it can drop them again.<br /><br />Thus, the security considerations you link to are largely not relevant here. Most of the recent controversy of user namespaces has been due to kernel bugs that allow capabilities to leak to the original namespace, but that's not what those threads talk about.Gian-Carlo Pascuttohttps://www.blogger.com/profile/14452657281217735802noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-64603970727362897552018-05-11T20:58:38.575+02:002018-05-11T20:58:38.575+02:00You are right, I'll correct this.You are right, I'll correct this.Gian-Carlo Pascuttohttps://www.blogger.com/profile/14452657281217735802noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-6457182607148226172018-05-11T20:54:31.317+02:002018-05-11T20:54:31.317+02:00Thanks, this is probably required by the crash rep...Thanks, this is probably required by the crash reporting tool.Gian-Carlo Pascuttohttps://www.blogger.com/profile/14452657281217735802noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-9971186374034124502018-05-11T20:23:01.004+02:002018-05-11T20:23:01.004+02:00It would be nice to have, but installing a suid ro...It would be nice to have, but installing a suid root binary in order to give more defense in depth is right now not terribly appealing work compared to other things we need to do.<br /><br />Of the more popular Linux distros, only Arch Linux ships with user namespaces entirely disabled. As you found out, Debian has them behind a sysctl.Gian-Carlo Pascuttohttps://www.blogger.com/profile/14452657281217735802noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-51463939019785850892018-05-11T20:21:14.826+02:002018-05-11T20:21:14.826+02:00My understanding is that just running a Wayland se...My understanding is that just running a Wayland server sidesteps many of the issues because it doesn't allow applications to indiscriminately muck around with others' windows.<br /><br />It's exactly this security limitation that caused some backwards compatibility issues and caused Ubuntu to revert to X in 18.04.<br /><br />But yes, Wayland improves things here a lot.Gian-Carlo Pascuttohttps://www.blogger.com/profile/14452657281217735802noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-612849592379730682018-05-11T19:11:35.760+02:002018-05-11T19:11:35.760+02:00It seem like CAP_SYS_PTRACE is also needed now. Th...It seem like CAP_SYS_PTRACE is also needed now. Those changes to the sandboxing impacted the Apparmor profile as shipped by Ubuntu (disabled by default): https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1770600Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-78141738577488894442018-05-11T19:02:52.647+02:002018-05-11T19:02:52.647+02:00"In this context, we'd like to remark tha..."In this context, we'd like to remark that an application like Firefox only needs CAP_SYS_ADMIN, CAP_SYS_CHROOT, CAP_SET(UG)ID to achieve most effect"<br /><br />Is this a joke? If so, it's not funny :(<br /><br />https://lwn.net/Articles/486306/<br />https://forums.grsecurity.net/viewtopic.php?f=7&t=2522<br /><br />and Solar Designer (Openwall.com)<br /><br />http://www.openwall.com/lists/oss-security/2010/11/08/3<br /><br />Do you still claim that it improves security?danicehttps://www.blogger.com/profile/05187936694374083463noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-89778469442307027862018-05-11T16:01:55.320+02:002018-05-11T16:01:55.320+02:00Would Wayland builds take avoid the X11 protocol c...Would Wayland builds take avoid the X11 protocol concerns you reference, or do they just come with their own new sandboxing issues? I've been trying out wayland firefox builds from some patched versions of firefox, and they seem to be working well. I can't wait for a supported wayland build.jxnhttps://www.blogger.com/profile/02583794266862364944noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-61315058105380180072018-05-11T12:50:11.842+02:002018-05-11T12:50:11.842+02:00reduce the margin for error
--->
increase the...reduce the margin for error <br />---><br />increase the margin for harmless error<br />or<br />reduce the possibility of errors<br />?Anonymoushttps://www.blogger.com/profile/09660795033178217508noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-73170609417487499202018-05-11T08:30:00.280+02:002018-05-11T08:30:00.280+02:00I've been pointed to: https://sources.debian.o...I've been pointed to: https://sources.debian.org/src/linux/4.16.5-1/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch/<br />so it's enabled in the kernel, but disabled via /proc/sys/kernel/unprivileged_userns_cloneglandiumhttps://www.blogger.com/profile/00111150844502160018noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-63596575883816811442018-05-11T05:52:05.921+02:002018-05-11T05:52:05.921+02:00Actually... I checked the kernel configuration and...Actually... I checked the kernel configuration and CONFIG_USER_NS *is* set to `y`. Yet, Firefox doesn't use user namespaces. I wonder what's up with that.glandiumhttps://www.blogger.com/profile/00111150844502160018noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-88490206393045925902018-05-11T05:48:54.862+02:002018-05-11T05:48:54.862+02:00Wouldn't it be worth to provide a setuid shim ...Wouldn't it be worth to provide a setuid shim for downstreams that don't allow user namespaces but build their own Firefox? (like, totally randomly chosen, Debian)glandiumhttps://www.blogger.com/profile/00111150844502160018noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-54797850599268180982017-11-17T21:47:43.281+01:002017-11-17T21:47:43.281+01:00Check here, they're most likely hidden or reco...Check here, they're most likely hidden or recoverable:<br />https://support.mozilla.org/en-US/kb/recover-lost-or-missing-bookmarksGian-Carlo Pascuttohttps://www.blogger.com/profile/14452657281217735802noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-16862163157559408762017-11-17T21:33:42.527+01:002017-11-17T21:33:42.527+01:00Well, bookmark list disappeared, and I do hope no ...Well, bookmark list disappeared, and I do hope no further damage are done, but faster it is...Anonymoushttps://www.blogger.com/profile/05484551345521938767noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-30498988190431628362017-11-09T21:21:47.775+01:002017-11-09T21:21:47.775+01:00Great work!Great work!josepfebrerhttps://www.blogger.com/profile/00185286989763903980noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-91297492756198705462016-05-22T03:16:19.548+02:002016-05-22T03:16:19.548+02:00First of all, changing everything to a single call...First of all, changing everything to a single call to getrandom() or read from /dev/urandom is absolutely the way to go right now.<br /><br />That said, the reading of the password file is somewhat defensible. If the randomness pool is implemented properly, then as long as the amount of entropy dropped into it exceeds a reasonable threshold then it's cryptographically impossible for an attacker to figure out what the data mixed in was. This is the whole point of a properly designed randomness pool. Private keying material is just about the only stuff which is supposed to have the property of not being guessable to anyone outside the system, with the counterintuitive result that whatever's in stored passwords and ssh keys are probably the only things which should be mixed into the pool.<br /><br />Likewise mixing in the current time may prevent a real attack - if there's a real source of entropy getting mixed in somewhere but it's the same across reboots, mixing in time will prevent replay attacks. Properly designed entropy pools will handle this properly.<br /><br />Of course, it may be that there's only a single user on the system and their password is guessable. Or it may be that it's a modern system where password info isn't actually in the password file. And if there's an ssh key then it may be that that key was generated using the same broken random number generator and contains very little entropy itself. So mixing in that info doesn't always fix things. But it also may by the only thing keeping the system secure under others, so it isn't nearly as dunderheaded as it sounds. Mixing in random other files which don't contain keying material is just plain stupid though.<br /><br />That said, we're long past the point where all computers should come with a built-in source of hardware entropy and it's totally reasonable for anything which claims to be secure to simply refuse to boot if it isn't there, at which point all this other voodoo should be done away with entirely.Bram Cohenhttps://www.blogger.com/profile/03952121644359153139noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-71566550045943809472016-05-21T18:08:57.532+02:002016-05-21T18:08:57.532+02:00Here you have to remember that distributions work ...Here you have to remember that distributions work against users.<br /><br />In particular for xscreensaver, the author received email from outdated software that was used by in particular debian. So he added the notification.<br /><br />What was the next result? Debian started to patch-modify that warning away, rather than allowing users a simple way to upgrade.<br /><br />So those distributions (not all of them) are like a prison. And their users are their prison workers.shevyhttps://www.blogger.com/profile/09636171104216432368noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-37138362305871113342016-05-21T01:56:54.746+02:002016-05-21T01:56:54.746+02:00For sure, this ancient support crap is ridiculous....For sure, this ancient support crap is ridiculous. How about a parallel build for dinosaurs, and one for the rest of the mankind?HacKanhttps://www.blogger.com/profile/16560236123611927679noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-35698609495650117682016-05-21T01:33:33.282+02:002016-05-21T01:33:33.282+02:00Agree! Agree! Ernst Sjöstrandhttps://www.blogger.com/profile/17837850227679012927noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-91127767157932334172015-05-31T01:03:33.468+02:002015-05-31T01:03:33.468+02:00i've been transferring the picture from my And...i've been transferring the picture from my Android phone using dropbox. on the pc, I right click on the file in Windows Explorer, rotate clockwise, then I do it again, rotating counterclockwise. this seems to work for those images i want to upload to Twitter via pcAyman Hossam Fadelhttps://www.blogger.com/profile/02971214697650068561noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-19250846394699815292013-05-02T18:51:20.410+02:002013-05-02T18:51:20.410+02:00Navigate to about:config, then search for media. Y...Navigate to about:config, then search for media. You'll get a page with toggle buttons.Gian-Carlo Pascuttohttps://www.blogger.com/profile/14452657281217735802noreply@blogger.comtag:blogger.com,1999:blog-5232577621384962517.post-48781082931190018002013-05-02T18:30:07.223+02:002013-05-02T18:30:07.223+02:00How does one flip the preferences in android?How does one flip the preferences in android?Shacharhttps://www.blogger.com/profile/02319983375192242294noreply@blogger.com