Public bug reported:
The default Firefox AppArmor profile (package: firefox) allows read
access to all files in the system:
# in /etc/apparmor.d/usr.bin.firefox:
/**/ r
This allows browsing all directory contents on the system which violates
Least Privilege Principle and allows malware to explore what's on the
system (even though there are additional deny rules that protect most
sensitive files, a default read all is still unacceptable).
In addition (package: apparmor) :
# in /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:
@{HOME}/** r,
owner @{HOME}/** w,
Which allows read write to ALL USER FILES, and read to ALL OTHER USER
FILES because default chmod on user dirs is o+rx. Granted, access to
~/.ssh is explicitly denied, but there are things like documents and
other user files that should NOT be readable to Firefox at all.
This is, IMHO, a vulnerability.
The profile should allow read/write ONLY to dirs like ~/Downloads or
~/Public. In addition the above two lines that allow unconfined rw
access to HOME/**, should be commented out and explained what it means
to enable them if the user really wants that kind of convenience.
Modern malware is not just about code execution and modifying local or
system files. Modern malware is also very much so about data and
identity theft against which the current default AppArmor profile does
NOT protect.
Take for example password managers like KeePassX. The default profile on
ubuntu-browsers would allow unfettered access to the very much sensitive
passwords database.
Sure, users can override and expand the profile with their local
modifications, but this "vulnerability" is not documented or
communicated to users and gives a false sense of security ("Oh, I have
AppArmor profile on Firefox, I'm safe").
Unfortunately, proper security is not in the domain of casual computer
usage and I understand that Ubuntu has to balance between convenience
and security but IMHO it is possible to make this more secure AND at the
same time inform the user where to DISABLE (rather than enable) those
stricter rules.
If Ubuntu is not willing to sacrifice the convenience for PROPER
security (shame on Ubuntu if that's the case), then AT THE VERY LEAST
the user should be informed that the default AppArmor profile, when they
install a browser, is biased toward convenience and users SHOULD take
additional actions to protect themselves.
I'm sure this all applies to more than just the browsers, but browsers
are my primary concern here, which are the most vulnerable component in
a modern system.
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Tags: xenial yakkety
** Summary changed:
- Firefox' AppArmor profile allows too much read access
+ AppArmor profile for ubuntu-browsers allows too much read access
** Description changed:
The default Firefox AppArmor profile (package: firefox) allows read
access to all files in the system:
# in /etc/apparmor.d/usr.bin.firefox:
/**/ r
This allows browsing all directory contents on the system which violates
Least Privilege Principle and allows malware to explore what's on the
system (even though there are additional deny rules that protect most
sensitive files, a default read all is still unacceptable).
In addition (package: apparmor) :
# in /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:
@{HOME}/** r,
owner @{HOME}/** w,
- Which allows read write to ALL USER FILES, and ALL OTHER USER FILES
- because default chmod on user dirs is o+rx. Granted, access to ~/.ssh is
- explicitly denied, but there are things like documents and other user
- files that should NOT be readable to Firefox at all.
+ Which allows read write to ALL USER FILES, and read to ALL OTHER USER
+ FILES because default chmod on user dirs is o+rx. Granted, access to
+ ~/.ssh is explicitly denied, but there are things like documents and
+ other user files that should NOT be readable to Firefox at all.
This is, IMHO, a vulnerability.
The profile should allow read/write ONLY to dirs like ~/Downloads or
~/Public. In addition the above two lines that allow unconfined rw
access to HOME/**, should be commented out and explained what it means
to enable them if the user really wants that kind of convenience.
Modern malware is not just about code execution and modifying local or
system files. Modern malware is also very much so about data and
identity theft against which the current default AppArmor profile does
NOT protect.
Take for example password managers like KeePassX. The default profile on
ubuntu-browsers would allow unfettered access to the very much sensitive
passwords database.
Sure, users can override and expand the profile with their local
modifications, but this "vulnerability" is not documented or
communicated to users and gives a false sense of security ("Oh, I have
AppArmor profile on Firefox, I'm safe").
Unfortunately, proper security is not in the domain of casual computer
usage and I understand that Ubuntu has to balance between convenience
and security but IMHO it is possible to make this more secure AND at the
same time inform the user where to DISABLE (rather than enable) those
stricter rules.
If Ubuntu is not willing to sacrifice the convenience for PROPER
security (shame on Ubuntu if that's the case), then AT THE VERY LEAST
the user should be informed that the default AppArmor profile, when they
install a browser, is biased toward convenience and users SHOULD take
additional actions to protect themselves.
I'm sure this all applies to more than just the browsers, but browsers
are my primary concern here, which are the most vulnerable component in
a modern system.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1662501
Title:
AppArmor profile for ubuntu-browsers allows too much read access
Status in apparmor package in Ubuntu:
New
Bug description:
The default Firefox AppArmor profile (package: firefox) allows read
access to all files in the system:
# in /etc/apparmor.d/usr.bin.firefox:
/**/ r
This allows browsing all directory contents on the system which
violates Least Privilege Principle and allows malware to explore
what's on the system (even though there are additional deny rules that
protect most sensitive files, a default read all is still
unacceptable).
In addition (package: apparmor) :
# in /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:
@{HOME}/** r,
owner @{HOME}/** w,
Which allows read write to ALL USER FILES, and read to ALL OTHER USER
FILES because default chmod on user dirs is o+rx. Granted, access to
~/.ssh is explicitly denied, but there are things like documents and
other user files that should NOT be readable to Firefox at all.
This is, IMHO, a vulnerability.
The profile should allow read/write ONLY to dirs like ~/Downloads or
~/Public. In addition the above two lines that allow unconfined rw
access to HOME/**, should be commented out and explained what it means
to enable them if the user really wants that kind of convenience.
Modern malware is not just about code execution and modifying local or
system files. Modern malware is also very much so about data and
identity theft against which the current default AppArmor profile does
NOT protect.
Take for example password managers like KeePassX. The default profile
on ubuntu-browsers would allow unfettered access to the very much
sensitive passwords database.
Sure, users can override and expand the profile with their local
modifications, but this "vulnerability" is not documented or
communicated to users and gives a false sense of security ("Oh, I have
AppArmor profile on Firefox, I'm safe").
Unfortunately, proper security is not in the domain of casual computer
usage and I understand that Ubuntu has to balance between convenience
and security but IMHO it is possible to make this more secure AND at
the same time inform the user where to DISABLE (rather than enable)
those stricter rules.
If Ubuntu is not willing to sacrifice the convenience for PROPER
security (shame on Ubuntu if that's the case), then AT THE VERY LEAST
the user should be informed that the default AppArmor profile, when
they install a browser, is biased toward convenience and users SHOULD
take additional actions to protect themselves.
I'm sure this all applies to more than just the browsers, but browsers
are my primary concern here, which are the most vulnerable component
in a modern system.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1662501/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
