Hello Reiner, Thanks for your response. To be clear: I don’t have a problem with Firejail being a setuid executable (perhaps a little trepidation ;-), I have an issue with the default broad powers granted to unprivileged users with the install of the Firejail package.
> I think the most common use case for firejail is a single user machine, where > the administrator is also the regular user, and it is used to limit what > applications can do on the system. > On multi-user systems the administrator needs to be more careful in general > what is installed and how it is configured. > By installing firejail its functionality is automatically/actively granted, > as that is the expected behavior (like 'ping' works out of the box even for > unprivileged users when it is installed). Even on a single user system, the basic security model is: privileged root is used to configure / set system controls and limits. End user applications are then run unprivileged, unable to change or override these. Installing something like ping (no longer using setuid but caps) does not allow an unprivileged user or application to override system security settings like the netfilter firewall, or control groups, or add new network interfaces / MAC addresses / ip addresses to your network. Yet, by default, installing the Firejail package enables this for all unprivileged users / applications. Users installing Firejail may not always run everything in a Firejail. I can imagine an end-user application unable to reach the internet (to phone home, run a server, etc.) due to the presence of a system firewall could look to exploit Firejail using --noprofile --net to do whatever it wants on the LAN / WAN / Internet. > Is it possible to set up rules that apply to all network namespaces? I do not believe this is possible; each network namespace has its own netfilter rules. > Because for other programs (like containers) using network namespaces those > rules will probably also not apply. Only root can create network namespaces (containers typically use privileged daemons). I’m not aware of unprivileged user launched containers allowing the equivalent of Firejail’s --noprofile combined with --net, --mac, --ip (or even --cgroup) in user space. > Missing configurability for that feature is something that can be implemented. > I will suggest it to upstream. Good idea, thanks. Whatever you decide is fine with me. Maybe people who install packages do read the notes and README. Installing any package or software does present some risk, more so a setuid one. And perhaps (I don’t know) most users would want / expect the behavior of the default configuration? Perhaps most users don’t configure firewalls on their systems!? :-/ I was just hoping to minimize exposure to unexpected security holes, or at least raise awareness of them, for future installers. Thanks for your time, Cheers, Alain
