Re: [gentoo-user] Restricting Firefox website access

[Mike Kazantsev <mike_kazantsev@fraggod.net>]

[-- Attachment #1: Type: text/plain, Size: 3054 bytes --]

On Tue, 13 Jan 2009 19:33:14 +0000
Mick <michaelkintzios@gmail.com> wrote:

> On Sunday 11 January 2009, Mike Kazantsev wrote:
> 
> > If blocking every possible user is too much trouble or you wish to
> > block just firefox, but not wget to http port for _all_ users (not the
> > same case as emerge from root) you can write a simple SUID wrapper for
> > firefox binary, which changes group to restricted one (but leaves uid
> > and home unchanged), 
> 
> Is this like creating a symlink to the original FF binary which you have moved 
> somewhere else?  Can you please explain?
> 
> > then launches true firefox binary, to which only 
> > that group has access.


No, it's not.


Symlinks aren't made for that purpose, and should be treated just linke
the object they point to, without messing with anything on the way.
As a rule, symlink permissions should not be changed, and in most cases
it's not supported by OS anyway.

What I mean is a wrapper binary. It can be either a native binary file
(like C compiled into ELF) or a script with SUID interpreter (like suid
perl).

I haven't tried this trick with firefox myself, but I don't see why it
shouldn't work here.


For example:

--- ff_wrapper.c

int main(int argc, char **argv)
{
 /* Set group to 'ff-users' (gid = 400, for this example) */
 setegid(400);
 setgid(400);

 /* Drop root privileges */
 seteuid(getuid());

 /* Start real firefox */
 execv("/usr/bin/_firefox", argv);
}

--- ff_wrapper.c


You can compile it with 'gcc ff_wrapper.c -o ff_wrapper'.

Then do:

 mv /usr/bin/{,_}firefox \
 && chown root:nogroup /usr/bin/_firefox \
 && chmod 0750 /usr/bin/_firefox \
 && mv ff_wrapper /usr/bin/firefox \
 && chown root:root /usr/bin/firefox \
 && chmod 6555 /usr/bin/firefox


So firefox can only be launched directly by specific group (with gid=400
in this example, which should be created for this purpose), and the
wrapper ensures that when typing 'firefox' every user will be launching
it as a member of that group.
After that you can limit this group as you like.

Note that for all this to make sense, no user (firefox user, anyway)
should belong to the aforementioned group, or they'll be able to run
'/usr/bin/_firefox' directly, having effective gid that's written in
passwd (like 'someuser', usually the same as login name with linux).


It's a bit more complicated with the scripts (bash, for example),
because in that case it's an interpreter binary that gets launched
(i.e. /bin/bash, which then just reads the script), so the interpreter
should have suid flag, and that's a huge security gap, since every user
having access to it will be able to abuse root privileges.

There are, however, interpreters like perl, which, granted suid bit,
will shed all the privileges if the script they're trying to execute
doesn't have suid bit set on it, but even then there are whole lot of
things to check, so no one'll be able to abuse the script itself.


-- 
Mike Kazantsev // fraggod.net

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]