Securely running Firefox in a chroot
First problem: Debian stable’s Firefox is old (2.x). Solution: install a //chroot// containing Sid, and install the latest version.
Thing is, it’s a recurring problem in Debian; I had removed my chroot settings last time Sid turned to Stable, and I forgot how it was done. This time I’ll document it.
Second problem: The Web browser is one of the most critical pieces of software you use. The main assets on a computer are its functions (the programs and servers you run) and your data.
My machine acts as a server, so it’s got Apache: but Apache can only read files, not normally write to them. So a vulnerability in Apache alone won’t compromise my system much.
On the other hand, my Web browser has the same rights as me, which means it can read or write any of my personal files. A vulnerability in Firefox is a threat to all my data.
Solution: run Firefox under a different user ID which has access to nothing.
So, let’s do it.
I use //schroot// as a wrapper to //chroot//.
# Setup chroot
debootstrap sid sid
# Use same users as main system
cd sid/etc
rm passwd; ln /etc/passwd .
rm shadow; ln /etc/shadow .
rm group; ln /etc/group .
ln /etc/hosts .
# Install Firefox
cd ..
chroot .
apt-get update
apt-get install iceweasel
Now outside the //chroot// we add the user (which automatically gets added to the //chroot// as well) and install //schroot//:
adduser me_www
apt-get install schroot
vi /etc/schoot/schroot.conf
<< configure >>
For some reason X forwarding won’t work if the //chroot// doesn’t share the same /tmp as the main system (this doesn’t totally make sense to me) so we add this to {/etc/fstab}:
/home /root/chroot/sid/home/ none bind 0 2
/dev /root/chroot/sid/dev none bind 0 2
/tmp /root/chroot/sid/tmp none bind 0 1
/sys /root/chroot/sid/sys none bind 0 1
Don’t forget to mount all that ({mount -a}) then we can start Firefox, in the //chroot//, under the new user ID:
schroot -u me_www -c sid -- iceweasel --display $DISPLAY
Simple, innit?