Open_Source

cpghost cpghost at cordula.ws
Wed Jun 3 10:27:24 UTC 2009


On Wed, Jun 03, 2009 at 11:24:02AM +0200, Wojciech Puchar wrote:
> > secondarily and only when absolutely necessary with the usual
> > firefox+noscript+abp...  both browsers running in a virtual box (qemu,
> > virtualbox) dedicated to this purpose and this purpose only.
> 
> Exaggeration IMHO. just make sure your normal user has 700 permissions, 
> create another and run browser from it.

What about permissions in X? Even if you started the browser as
another user, you'd still have to xhost + that user. And from
there, it's easy to hijack the X session (including keylogging etc.).

So you'll start another Xorg process as the other user, but are you
sure both processes are totally isolated and can't communicate via
unix-domain sockets etc? Checked all perms of all devices, all
FIFOs etc?

The point is: if you start *any* untrusted program on your host OS,
there's a remote possibility that you've overlooked something (your
example with 0700 permissions for home dirs is a good example,
but there's a lot more), and that the process starts seeing stuff
it isn't meant to see.

And even chroot(2) isn't perfect. Remember:

  http://unixwiz.net/techtips/chroot-practices.html
  http://wiki.netbsd.se/How_to_break_out_of_a_chroot_environment

That's just the tip of the iceberg. You never know what's still
lurking out there on the host OS, and when you need strong security, a
virtualized environment for untrusted processes as a minimum is a
*must-have*. And even then, that is risky, if the emulator or
paravirtualizer contains bugs and flaws.

You can get a little bit more confidence with virtualizers if
emulated CPU arch != host CPU arch (e.g. when emulating PPC, 68000
or even more exotic processors on x86), but that's dog slow for
modern day browsing even on fast machines. So it's not always
practical to do so (though when security is paramount, browsing
slowing may well be the price to pay). And obviously, the emulator
sill needs to resist especially crafted bytecode that may crash
it in a very specific way (read: an exploit of an emulator's bug)!

> > Of course, I'm taking more precautions, as running in a box may still
> > not be 100% secure, if someone creative enough found a way to break
> > out of the guest OS into the host OS; but everything else is just
> 
> Nobody would write specially prepared webpage exactly for You to break ;)

That's right, and that's why non-Windows users are less exposed to
the usual risks. But still, one has to be careful.

> It's a matter of protecting yourself from "big brothers" that watch 
> others.

Or from "little brothers" that explicitly target your infrastructure
(think: industrial espionage etc.). Those attackers are much more
worrying that your usual suspects, script kiddies et al., as contrary
to the broad attackes of the latter, the former usually have more
resources, including time, to conduct targeted penetration attempts
into your secure environment.

You see, security is more than just protecting the normal desktop
user from vanilla attacks. ;-)

-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/


More information about the freebsd-questions mailing list