Firejail: Improving U2F documentation

Created on 16 Jul 2020  路  5Comments  路  Source: netblue30/firejail

On the Debian bugtracker someone reported problems with enabling U2F, which is disabled by default.
The setting in firejail.config is a bit confusing, as it is named browser-disable-u2f, which is enabled by default (which means that u2f is disabled).
The manpages are only documenting the command line flag --nou2f and nou2f / BROWSER_DISABLE_U2F for profiles.
But from the documentation alone it's not possible to figure out, why U2F might be disabled. One needs to look into the configuration for that (and not get confused).

He also suggests to enable U2F (for browsers) by default. Opinions on that?

enhancement
Source
picture reinerh
👍1

Most helpful comment

My impression is that in its current form BROWSER_DISABLE_U2F is a bit of a misnomer

Indeed. I have seen users on the archlinux IRC channel asking questions about it. Maybe something like BROWSER_SUPPORT_U2F would be less confusing...

picture glitsj16 on 17 Jul 2020
👍2

All 5 comments

He also suggests to enable U2F (for browsers) by default. Opinions on that?

This would mean full /dev access for browsers (except the devices blacklisted by no*).

https://github.com/netblue30/firejail/blob/ce462b6b1fbfe497df7f045844b2bb5a74e5c777/etc/profile-a-l/firefox-common.profile#L52

https://github.com/netblue30/firejail/commit/32c3669115a7168e5a7fa13347bd6f8daf838be0
https://github.com/netblue30/firejail/issues/3170

rusty-snake picture rusty-snake on 16 Jul 2020
👍1

This would mean full /dev access for browsers (except the devices blacklisted by no*).

Thanks, I wasn't aware that this would grant so wide access to /dev.

reinerh picture reinerh on 16 Jul 2020

iirc the private-dev is disabled only to allow u2f dongles be connected at will
you can remove that conditional for more security, but you then have to have your dongle connected before launching the browser/sandbox
I personally prefer the latter, but too many issues were filed that u2f wasn't working.

SkewedZeppelin picture SkewedZeppelin on 16 Jul 2020
👍1

Thanks, I wasn't aware that this would grant so wide access to /dev

My impression is that in its current form BROWSER_DISABLE_U2F is a bit of a misnomer

smitsohu picture smitsohu on 17 Jul 2020
👍1

My impression is that in its current form BROWSER_DISABLE_U2F is a bit of a misnomer

Indeed. I have seen users on the archlinux IRC channel asking questions about it. Maybe something like BROWSER_SUPPORT_U2F would be less confusing...

glitsj16 picture glitsj16 on 17 Jul 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

SkewedZeppelin picture SkewedZeppelin  路  3Comments
ericschdt picture ericschdt  路  3Comments
HulaHoopWhonix picture HulaHoopWhonix  路  4Comments
reinerh picture reinerh  路  3Comments
ghost picture ghost  路  3Comments