Firejail: Why there are no profiles for pip and npm?

Created on 26 Apr 2019 · 3Comments · Source: netblue30/firejail

Installing a package with both pip and npm is not just download & extract:

pip install x runs x's setup.py
npm install x runs scripts listed in x's package.json's scripts field (the behavior can be disabled with --ignore-scripts though)

Both pip and npm repositories are not checked for malware by some authority, malware is pretty possible there (for example this https://searchsecurity.techtarget.com/news/252453398/Compromised-NPM-package-highlights-open-source-trouble).

Don't we need to cover npm and pip by firejail out of the box?

// I'm not into ruby but probably gems installing poses the same issue.

Source

dandelionred

Most helpful comment

To add to what @rusty-snake says, IMHO any profile that actually works for pip would be too lose to offer any meaningful security and would only give a false sense of security. Probably better to not have a pip profile than for folks to think that they can just abandon reasonable precautions and use a super-weak profile while believing they're safe.

I don't know much about npm though

Fred-Barclay on 28 Apr 2019

👍2

All 3 comments

Why there are no profiles for XY?

Because no one has written it yet.

You are right about the fact that there are a lot of attack ways via pip and npm, but a profile for e.g. pip should be very lax as you never know what the different setup.py's need.