On 2022-01-27 21:44:07 -0600, Nicholas Geovanis wrote: > On Wed, Jan 26, 2022, 12:39 PM Andrei POPESCU <andreimpope...@gmail.com> > wrote: > > > I'll use the opportunity to draw attention to DSA-5059-1, see e.g. this > > article for details: > > > > > > https://arstechnica.com/information-technology/2022/01/a-bug-lurking-for-12-years-gives-attackers-root-on-every-major-linux-distro/ > > > > And please don't bother to reply with "there are no other users on this > > system I should worry about", the bad guys could still find ways to get > > in, e.g. via a compromised browser, regardless if you are behind a > > firewall or not[1].
Running the browser in firejail should be sufficient as the profile should disable pkexec, e.g. $ firejail --profile=firefox ls Reading profile /etc/firejail/firefox.profile [...] Error: execute permission denied for /usr/bin/pkexec Error: no suitable pkexec executable found > Servers don't have browsers installed on them, for exactly this reason. Servers shouldn't have pkexec installed in the first place, anyway. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
