Remix.run Logo
nextos 3 months ago

That's my opinion as well. I run Emacs 24/7 but I do so inside Firejail, with no network access. It's not architected with security in mind and exploits are too easy.

The same can be said about the Linux userland. The Unix model of giving plenty of access to resources and any user file to user processes is outdated.

I find it frustrating something like Firejail or bwrap is not standard. I don't want a compromised program to have easy access to e.g. my SSH keys.

internet_points 3 months ago | parent | next [-]

Do you use firejail for other things too? Say I'm developing a js project and have to do npm install and run-dev-server or something, would/could you use firejail with that (to avoid npm putting your ssh keys on pastebin due to bad third party js)? Would you firejail the whole bash session?

I feel so worried every time I walk into a new ecosystem, and there are new developer tools required. They invariably want me to install things outside their project folder or edit .bashrc or require sudo. It's affecting my sleep. Just running `make` in the wrong folder can start downloading things. It's gotten so bad lately I'm even considering Qubes.

nextos 3 months ago | parent [-]

I use Firejail in the terminal as I am also concerned with the things you mentioned. bwrap is also a possibility. For simple usecases, they are not too intrusive. You can easily create a development profile that bans internet access and forbids read access to your important files. Then wrap CLI commands around that, or perhaps even the entire Bash session.

It's like a poorman's QubesOS. I also recommend setting up a userspace firewall like Little Snitch or OpenSnitch. Most malware requires Internet access to do harm. Those provide a good last line of defense. It's a shame the Unix model of giving coarse-grained access to user processes has not been patched. It's not that hard and it's a big security issue.

hollerith 3 months ago | parent | prev [-]

>I run Emacs 24/7 but I do so inside Firejail

Can you share your Firejail config?

nextos 3 months ago | parent [-]

I just use the "net none" option. For the rest of the programs, Firejail default profiles are spot on.

Alternatively, you can use bwrap --share-net=none emacs.