[ubuntu-hardened] Ideas outside the SELinux box

Jeff Schroeder jeffschroed at gmail.com
Fri Feb 15 00:57:46 GMT 2008 

Me And You wrote:
> On Thu, Feb 14, 2008 at 2:03 PM, Jeff Schroeder <jeffschroed at gmail.com> wrote:
>> Me And You wrote:
>>  ...
>>
>>> -Running high risk desktop applications as another user.
>>  >  Namely Firefox. In the last few months (and before that), we've seen
>>  > a slew of vulns for ff. Most of them could be negated with the
>>  > NoScript extension, but not everyone is going to use that. So I
>>  > suggest running ff as a user other than the default desktop user. The
>>  > reason for this is simple: the typical desktop user has everything of
>>  > value to them under that user. If someone exploits firefox and is able
>>  > to read/modify everything that the default user owns, well that's damn
>>  > near everything that's important. We could make a shared "download"
>>  > directory or some such for accessing files and so forth. I don't think
>>  > this will be default, but having the option (something like apt-get
>>  > install ff-secure) would be nice.
>>  And if there is a local user priv escalation bug in the Linux kernel then
>>  the attacker uses Firefox running as the other user to get root. If we drew
>>  an attack tree of your model, it falls down there. Firefox should be confined
>>  using Mandatory Access Control such as SELinux and/or AppArmor by default.
>>  That is a much better solution and is certainly a goal for the future.
>>
> 
> I agree, but I don't know how soon SELinux will be implemented by
> default. I suppose the likely hood of this idea being implemented by
> default sooner is just as likely, but I thought of this as an
> "inbetween" kind of solution (inbetween now and SELinux integration).
Thats why I said, "SELinux and/or AppArmor". Ubuntu ships AppArmor in enforcing
mode by default. Even though AppArmor is easy to circumvent with something like
cp `which firefox` firefox.exploitme; ./firefox.exploitme

For this reason (path based vs label based security) SELinux is a more difficult
to subvert solution. AppArmour would still be more security than it is now.

> I'll check out that script as soon as I get time, should it work
> across Feisty and Gusty? (some things have changed in gusty from what
> I've seen).
Let me look at it tonight and I'll update it to work on gutsy. The apt
stuff should be removed entirely.

---
Jeff Schroeder

More information about the ubuntu-hardened mailing list