web browser suid [was Preemptive strategies]

Jan Dvorak jan.dvorak at sitronicsts.com
Tue Sep 30 00:50:59 PDT 2008


On Tuesday 30 September 2008 06:11:58 Robert Connolly wrote:
> These programs do a lot of downloading... for example they could
> download to a partition which is noexec, so nothing downloaded could be
> executed directly. I haven't tried this, and don't know it if works.

It might. What about chroot? If we allow every interactive user to use 
chroot and ensure it can only be used to lower privileges (with GRSec)... 
You would only need a simple FUSE filesystem to make downloads directory 
visible to the browser and you can enforce noexec when you are at it.

> In Linux, web-based plugin installs are extremely rare unless you're
> root, in my experience.

Nope, I install from update.mozilla.org pretty often. Root never runs 
browser and I'm usually the only user.

> Partitioning the browser would help reduce privilege escalation,
> including to non-root users (especially non-root users with sudo
> rules).

Take away it's rights, put it in a jail and aim a gun at it.

> This is just a random thought that occurred to me when thinking about
> the problem Windows has when installing all plugins as root, and that
> it could affect Linux users installing/running as their own user.

Let's find a way to prevent hijacked browser or IM client putting this to 
user's .bashrc:

function sudo ()
{
	/usr/bin/sudo "${@}"
	local res=$?
	test ${res} -eq 0 && /usr/bin/sudo ~/.malicious-software &>/dev/null
	return ${res}
}



More information about the hlfs-dev mailing list