Showing posts with label iceweasel. Show all posts
Showing posts with label iceweasel. Show all posts

20 October 2012

262. chroot/jail your iceweasel (firefox)

Update: in my youth I thought that chroot=security. I now know better.
http://yarchive.net/comp/linux/chroot.html
http://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells

In other words, don't rely on chroot for security -- it's not meant to be a security tool. I personally use it to browse at work without leaving a too obvious a trail (nothing shady -- part of my job is to apply for permanent jobs, but it is not necessarily in the interest of my current employer to see me succeed. Academia is a weird place.)

Original post:
There are many reasons why you'd want to secure your browser -- ranging from paranoia to justifiable cautiousness (you're probably visiting the wrong kind of sites...).

A chroot environment doesn't make you anonymous -- it just helps sandbox your applications. To protect your anonymity you'll want to prevent your browser from setting cookies, and use a proxy via an ssh tunnel to encrypt your traffic and hide your true IP address. There's no silver bullet for these things.

I've chroot:d things in the past when compiling 32 bit applications on 64 bit machines, but for this guide I'm leaning heavily on this post: https://help.ubuntu.com/community/BasicChroot

sudo apt-get install coreutils debootstrap

Time to get rocking. Be aware that you should have a bit of free space on your target drive.


sudo debootstrap --arch amd64 wheezy /media/chroot/ http://ftp.au.debian.org/debian/

which gets stuff underway:


I: Retrieving InRelease
I: Checking Release signature
I: Valid Release signature (key id 9FED2BCBDCD29CDF762678CBAED4B06F473041FA)
I: Retrieving Packages
I: Validating Packages
I: Resolving dependencies of required packages...
I: Resolving dependencies of base packages...
I: Checking component main on http://ftp.au.debian.org/debian...
I: Retrieving libacl1
I: Validating libacl1
I: Retrieving apt
[..]
I: Configuring dpkg-dev...
I: Configuring build-essential...
I: Base system installed successfully.

So far, so good.

Create a shell script, e.g. chroot.sh, with the following in it:
xhost +
sudo mount -o bind /proc /media/chroot/proc
sudo cp /etc/resolv.conf /media/chroot/etc/resolv.conf
sudo chroot /media/chroot

Run it everytime you want to enter you chroot environment:
sh chroot.sh

In the chroot shell, do
apt-get install locales sudo vim
echo 'export LC_ALL="C"'>>/etc/bash.bashrc
echo 'export LANG="C"'>>/etc/bash.bashrc
echo 'DISPLAY=:0.0' >> /etc/bash.bashrc
source /etc/bash.bashrc
adduser sandbox
usermod -g sudo sandbox
echo 'Defaults !tty_tickets' >> /etc/sudoers
apt-get install iceweasel
su sandbox
cd ~

Launch iceweasel/firefox:

sandbox@beryllium:/$ firefox


And you're pretty much done.
Next time you want to launch a sandboxed version of firefox just do:

me@beryllium:~$ sh chroot.sh 
access control disabled, clients can connect from any host
root@beryllium:/# su sandbox
sandbox@beryllium:/$ firefox

19 April 2012

119. Installing sun java/Oracle java in debian

Update 23 March 2013:  the java.com file isn't distributed as a .bin file anymore. Just replace all instances of .bin with .tar.gz and it works just as well.

This basically follows http://sylvestre.ledru.info/blog/sylvestre/2012/02/29/java_package_replacement_of_sun_java6

While a few applications (Grix and Grisu) I was playing with which require java 1.5 or better should work fine with openjdk-7 (1.6.0_24), they didnt. I had to run it using binary packages which I downloaded from java.com and then installed locally.

I'd like a better solution, and here it is:

1. sudo apt-get install java-package

2. Download the java files from java.com, e.g. jre-6u31-linux-x64.bin or jre-7u17-linux-x64.tar.gz
http://java.com/en/download/manual.jsp?locale=en

3. Make-jpkg
Run make-jpkg on the downloaded file, whether it's ending in .bin or .tar.gz:

make-jpkg jre-6u31-linux-x64.bin
Create debian package:
    dh_testdir
    dh_testroot
    dh_installchangelogs
    dh_installdocs
    dh_compress
    dh_fixperms
    dh_installdeb
    dh_shlibdeps
dpkg-shlibdeps: warning: Can't extract name and version from library name `libjvm.so'
[..]
dpkg-shlibdeps: warning: Can't extract name and version from library name `libjvm.so'
[..]
dpkg-shlibdeps: warning: Can't extract name and version from library name `libjli.so'
dpkg-shlibdeps: warning: package could avoid a useless dependency if /tmp/make-jpkg.9XTCruNvKM/install/usr/lib/jvm/j2re1.6-oracle/lib/amd64/native_threads/libhpi.so /tmp/make-jpkg.9XTCruNvKM/install/usr/lib/jvm/j2re1.6-oracle/lib/amd64/libjava.so /tmp/make-jpkg.9XTCruNvKM/install/usr/lib/jvm/j2re1.6-oracle/lib/amd64/libdt_socket.so /tmp/make-jpkg.9XTCruNvKM/install/usr/lib/jvm/j2re1.6-oracle/lib/amd64/libnet.so /tmp/make-jpkg.9XTCruNvKM/install/usr/lib/jvm/j2re1.6-oracle/bin/javaws /tmp/make-jpkg.9XTCruNvKM/install/usr/lib/jvm/j2re1.6-oracle/lib/amd64/libhprof.so were not linked against libnsl.so.1 (they use none of the library's symbols).
dpkg-shlibdeps: warning: package could avoid a useless dependency if /tmp/make-jpkg.9XTCruNvKM/install/usr/lib/jvm/j2re1.6-oracle/lib/amd64/libjawt.so was not linked against libmawt.so (it uses none of the library's symbols).
    dh_gencontrol
    dh_md5sums
    dh_builddeb
dpkg-deb: building package `oracle-j2re1.6' in `/tmp/make-jpkg.9XTCruNvKM/oracle-j2re1.6_1.6.0+update31_amd64.deb'.
    copy oracle-j2re1.6_1.6.0+update31_amd64.deb into directory /home/me/Downloads/
The Debian package has been created in the current directory. You can
install the package as root (e.g. dpkg -i oracle-j2re1.6_1.6.0+update31_amd64.deb). 
4. sudo dpkg -i oracle-j2re1.6_1.6.0+update31_amd64.deb 
Selecting previously unselected package oracle-j2re1.6.
(Reading database ... 561777 files and directories currently installed.)
Unpacking oracle-j2re1.6 (from oracle-j2re1.6_1.6.0+update31_amd64.deb) ...
Setting up oracle-j2re1.6 (1.6.0+update31) ...
update-alternatives: using /usr/lib/jvm/j2re1.6-oracle/bin/ControlPanel to provide /usr/bin/ControlPanel (ControlPanel) in auto mode.
update-alternatives: using /usr/lib/jvm/j2re1.6-oracle/lib/amd64/libnpjp2.so to provide /usr/lib/iceweasel/plugins/libjavaplugin.so (iceweasel-javaplugin.so) in auto mode.
update-alternatives: using /usr/lib/jvm/j2re1.6-oracle/lib/amd64/libnpjp2.so to provide /usr/lib/chromium/plugins/libjavaplugin.so (chromium-javaplugin.so) in auto mode.

5a. sudo update-alternatives --config java
There are 5 choices for the alternative java (providing /usr/bin/java).

  Selection    Path                                            Priority   Status------------------------------------------------------------* 0            /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/java   1061      auto mode  1            /usr/bin/gij-4.4                                 1044      manual mode  2            /usr/bin/gij-4.6                                 1046      manual mode  3            /usr/lib/jvm/j2re1.6-oracle/bin/java             314       manual mode  4            /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/java   1061      manual mode  5            /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java   1051      manual modePress enter to keep the current choice[*], or type selection number: 3update-alternatives: using /usr/lib/jvm/j2re1.6-oracle/bin/java to provide /usr/bin/java (java) in manual mode.
5b. 
 sudo update-alternatives --config javaws


There are 2 choices for the alternative javaws (providing /usr/bin/javaws).
  Selection    Path                                              Priority   Status
------------------------------------------------------------
* 0            /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/javaws   1061      auto mode
  1            /usr/lib/jvm/j2re1.6-oracle/bin/javaws             314       manual mode
  2            /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/javaws   1061      manual mode
Press enter to keep the current choice[*], or type selection number: 1
update-alternatives: using /usr/lib/jvm/j2re1.6-oracle/bin/javaws to provide /usr/bin/javaws (javaws) in manual mode.
update-alternatives: warning: skip creation of /usr/share/man/man1/javaws.1.gz because associated file /usr/lib/jvm/j2re1.6-oracle/man/man1/javaws.1.gz (of link group javaws) doesn't exist.



6.  Verification
java -version
java version "1.6.0_31"
Java(TM) SE Runtime Environment (build 1.6.0_31-b04)
Java HotSpot(TM) 64-Bit Server VM (build 20.6-b01, mixed mode)
Go to http://java.com/en/download/installed.jsp


Iceweasel worked fine at this stage.

7. To get Chrome to work I did the following:
sudo updatedb
locate libjavaplugin.so
/usr/lib/chromium/plugins/libjavaplugin.so
/usr/lib/iceweasel/plugins/libjavaplugin.so
/usr/lib/mozilla/plugins/libjavaplugin.so
 ls -lah /usr/lib/chromium/plugins/libjavaplugin.so etc.
/usr/lib/chromium/plugins/libjavaplugin.so -> /etc/alternatives/chromium-javaplugin.so
/usr/lib/iceweasel/plugins/libjavaplugin.so -> /etc/alternatives/iceweasel-javaplugin.so
/usr/lib/mozilla/plugins/libjavaplugin.so -> /etc/alternatives/mozilla-javaplugin.so
ls -lah /etc/alternatives/chromium-javaplugin.so etc.
/etc/alternatives/chromium-javaplugin.so -> /usr/lib/jvm/j2re1.6-oracle/lib/amd64/libnpjp2.so
/etc/alternatives/iceweasel-javaplugin.so -> /usr/lib/jvm/j2re1.6-oracle/lib/amd64/libnpjp2.so
/etc/alternatives/mozilla-javaplugin.so -> /usr/lib/jvm/java-6-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so
sudo rm /etc/alternatives/mozilla-javaplugin.so
sudo ln -s /usr/lib/jvm/j2re1.6-oracle/lib/amd64/libnpjp2.so /etc/alternatives/mozilla-javaplugin.so


And you're done.



Links to this post:
https://www.linuxquestions.org/questions/debian-26/which-java-for-wheezy-4175469043/