Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: mention risk of SUID binaries and also firejail-users(5) #5290

Merged
merged 1 commit into from
Aug 14, 2022
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions src/man/firejail.txt
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,17 @@ Firejail allows the user to manage application security using security profiles.
Each profile defines a set of permissions for a specific application or group
of applications. The software includes security profiles for a number of more common
Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
.\" TODO: Explain the security/usability tradeoffs from #4601.
.PP
Firejail is currently implemented as an SUID binary, which means that if a
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a native speaker, but shouldn't it be 'a' SUID binary... ?

Copy link
Collaborator Author

@kmk3 kmk3 Aug 3, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@glitsj16 on Aug 3:

Not a native speaker, but shouldn't it be 'a' SUID binary... ?

I'm fairly sure it depends on how you pronounce the word in question (at least
when spoken out loud; not sure about when writing manuals).

I personally read SUID spelled out as "S U I D" (that is, "ess you I d", in
which case "ess" starts with a vowel sound, and so "an" would be used), though
I can imagine someone saying it as "a soo'd binary" (that is, where "soo"
starts with a consonant sound and so "a" would be used). Not sure which one
would be the most common.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I happenend to be on IRC and asked around. Everyone agreed your version is the better, correct one :-) Thanks for the explanation, learned something today!

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@glitsj16 on Aug 3:

I happenend to be on IRC and asked around. Everyone agreed your version is
the better, correct one :-)

Good to know what the common usage is like :)

Thanks for the explanation, learned something today!

Anytime!

malicious or compromised user account manages to exploit a bug in Firejail,
that could ultimately lead to a privilege escalation to root.
To mitigate this, it is recommended to only allow trusted users to run firejail
(see firejail-users(5) for details on how to achieve that).
For more details on the security/usability tradeoffs of Firejail, see:
.UR https://github.com/netblue30/firejail/discussions/4601
#4601
.UE
.PP
Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/)
are not supported. Snap and flatpak packages have their own native management tools and will
Expand Down