Firejail: Some Security Questions Regarding Firejail

Created on 18 Dec 2018  路  2Comments  路  Source: netblue30/firejail

I have been doing a bit of research and reading up on how reliable the security is on Firejail.

Ive come across a lot of user opinions and articles saying how Firejail has a broad attack surface because it uses setuid.
Can you tell me why these users believe that it is not safe to use Firejail?
See: here and here - first comment.

My concerns and question relates a lot to this user comment which no one bothered to answer.
Relating to that comment, is it possible that just using Firejail can actually create trouble for you rather than not using it at all?
For example, is it possible that if using skype on Ubuntu with Firejail, that skype (without us knowing) can somehow find a way to use the elevated root privileges?? (because that would be worrying)
Where and when would this "broad attack surface" actually become a problem? Only if another user knows you are using Firejail and targets you, or in some other scenario like if you use Firejail with a specific app?

Would appreciate your input, thanks

information
Source
picture oositP

Most helpful comment

Those issues are applicable outside of jail, i.e. someone breaks into your system, finds you have firejail installed and use it to escalate privileges (there aren't public known ways to do it atm). This isn't typical threat scenario on single user desktop systems where all valuable targets lie under user $HOME and root access isn't needed to do the harm. So at this point you already lost.

This is also where firejail comes useful as the security benefit of using firejail matters inside of jail. It will protect your $HOME and rest of the system from breaking into it in first place for every app that is confined.

picture Vincent43 on 19 Dec 2018
👍6

All 2 comments

Those issues are applicable outside of jail, i.e. someone breaks into your system, finds you have firejail installed and use it to escalate privileges (there aren't public known ways to do it atm). This isn't typical threat scenario on single user desktop systems where all valuable targets lie under user $HOME and root access isn't needed to do the harm. So at this point you already lost.

This is also where firejail comes useful as the security benefit of using firejail matters inside of jail. It will protect your $HOME and rest of the system from breaking into it in first place for every app that is confined.

Vincent43 picture Vincent43 on 19 Dec 2018
👍6

I'm going to go ahead and close this as the question seems to have been answered. @oositP, please feel free to re-open if you feel your concerns were not sufficiently addressed.

chiraag-nataraj picture chiraag-nataraj on 15 Jan 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

reinerh picture reinerh  路  3Comments
dandelionred picture dandelionred  路  3Comments
semente picture semente  路  4Comments
nuxwin picture nuxwin  路  3Comments
ghost picture ghost  路  3Comments