undefined | Better HN

0 pointsaborsy4mo ago0 comments

The situation with firejail is different. There are a lot of profiles, and they are easier to customize and write.

But firejail needs root privilege, so there are arguments that it may actually reduce the security, because even though it sandboxes some applications, non-privilege processes may gain privilege if there is a flaw in the fire jail itself.

Firejail is also criticized for complexity.

0 comments

johnisgood4mo ago

Firejail does not need root privileges at all. You are probably referring to SUID. It is a "setuid ELF 64-bit" executable. I run it with my own user only.

Complexity? It just supports a lot of stuff. See the manual page. It seems simple enough to me.

aborsyOP4mo ago

Yeah, I meant the same thing! If you run it under your non-root user, and there is a vulnerability in firejail, the jailed process could run as root, right?

Complexity referred to large code base and attack surface.

I haven’t tried it myself. I would be interested knowing, whether it might lower the security in some cases. Maybe it’s useful to sandbox apps that don’t have flatpaks.

neobrain4mo ago

SUID by itself is not a security liability. Typically, programs using SUID quickly drop their additional privileges during startup to avoid the scenario you're describing. So the vulnerability in firejail would have to be early during startup before any of that.

Still, it can happen of course, particularly with memory-unsafe languages. Conversely without root privileges you have to sacrifice strength of your sandbox, widening the vulnerability window in the app you were trying to constrain to begin with.

Meanwhile bubblewrap relies on user namespaces, which come with their own set of security problems. They are disabled by default in many distributions for that reason.

jonway4mo ago

Yeah, it runs with escalated privs. People wager that SUID binaries are extremely risky and this seems totally reasonable to me! I don't know where to find a really good security analysis of the risks, however. Firejail is most likely not bullet-proof, although not soft by any stretch of the imagination and I don't know how often and how many security researchers are profiling this tool.

My gut sense is that flatpak gets much more scrutiny since it ships, and firejail is typically not shipped, but another package as far as I can tell (maybe in some specialized distros?).

j / k navigate · click thread line to collapse