On Fri, Jan 28, 2022, 9:17 AM Vincent Lefevre <vinc...@vinc17.net> wrote:
> On 2022-01-27 21:44:07 -0600, Nicholas Geovanis wrote: > > On Wed, Jan 26, 2022, 12:39 PM Andrei POPESCU <andreimpope...@gmail.com> > > wrote: > > > > > I'll use the opportunity to draw attention to DSA-5059-1, see e.g. this > > > article for details: > > > > > > > > > > https://arstechnica.com/information-technology/2022/01/a-bug-lurking-for-12-years-gives-attackers-root-on-every-major-linux-distro/ > > > > > > And please don't bother to reply with "there are no other users on this > > > system I should worry about", the bad guys could still find ways to get > > > in, e.g. via a compromised browser, regardless if you are behind a > > > firewall or not[1]. > > Running the browser in firejail should be sufficient as the profile > should disable pkexec, e.g. > Vincent's point is the right one I think. We need to deploy security "in depth". Every single setuid executable should be SHIPPED protected, just pick your style of protection. SElinux should be shipped enabled like Redhat does. Think it's too hard to administer? Then ship it with multiple models implemented in multiple rule sets like Redhat does. Then you can choose your style of mandatory access control with a mouse click at installation. $ firejail --profile=firefox ls > Reading profile /etc/firejail/firefox.profile > [...] > Error: execute permission denied for /usr/bin/pkexec > Error: no suitable pkexec executable found > > > Servers don't have browsers installed on them, for exactly this reason. > > Servers shouldn't have pkexec installed in the first place, anyway. > > -- > Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> > 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> > Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) > >
