[apparmor] [opensuse-factory] 12.1 is around the corner, and I must make my concerns known.
John Johansen
john.johansen at canonical.com
Wed Aug 17 21:13:15 UTC 2011
On 08/17/2011 01:28 PM, Christian Boltz wrote:
> Hello,
>
<< snip >>
>>>> The best example is downloading files - if you want to make
>>>> Firefox really secure, you can limit write access (which includes
>>>> downloads) to /home/*/downloads/**. However I'm quite sure that
>>>> you'll then get lots of complaints because of "I can't download
>>>> files to ~/coolstuff/" ;-)
>>>>
>>>> The alternative that will avoid this complaints is basically this
> rule:
>>>> /** rw,
>>>>
>>>> but this isn't really more secure than not having a profile at
>>>> all. (In fact, someone already posted a modified firefox profile
>>>> with such a rule in bugzilla - but I'm quite sure this will be
>>>> rejected upstream.
>>>>
>>>> Instead of /**, you could of course use /home/**, /tmp/**,
>>>> /var/tmp/** as possible download locations - but that's already
>>>> what the filesystem permissions make from the /** rule, so it
>>>> isn't more secure. (A normal user doesn't have write permissions
>>>> at other places, and if someone runs Firefox as root, well - I
>>>> don't even want to think about that...)
>>
>> owner @{HOME}/** rw,
>>
>> would be even better
>
> Yes, of course - but in practise it doesn't change too much. A normal
> user (hopefully) doesn't have write permissions in another user's home.
> And if you don't include /tmp/**, people will probably complain that
> they can't download a file to /tmp (which might be a valid location for
> "download, unpack and delete the zip/tarball" downloads).
>
> I know about owner restrictions etc. - but my point is that a firefox
> profile that makes everybody happy (by allowing storing downloads
> anywhere) does not really help security-wise.
> And a "secure" firefox profile (restricted to ~/downloads) will cause
> lots of complaints ;-)
>
yep, I have to agree currently firefox and desktop aps in general, are
really limited to users who have admin rights and like tinkering, or
at least don't mind having some restrictions.
currently its the services underneath the desktop that should be
targeted.
More information about the AppArmor
mailing list