# Why don't browsers use sandbox on FreeBSD?



## Pwkepkw (Jul 28, 2019)

Firefox gives a message right after the installation, saying that some of the components are not available because they had needed backends. One of them is the sandbox.
Although it doesn't give any message, chromium or iridium doesn't have any sandbox too. chrome:sandbox gives me a blank page.

I'm bit afraid to use a browser that doesn't have a sandbox. Do anybody have the same problem too?


----------



## Lamia (Jul 28, 2019)

There is little FreeBSD developers can do about that. The orgs that made the browsers need to get their developers to add it into their respective browsers. 

A number of them have done so though. Capsicum is a sandbox, if I am correct, and a number of apps now have it integrated into them. The FreeBSD team is also continuously working to get some services run on it.


----------



## Pwkepkw (Jul 28, 2019)

Lamia said:


> There is little FreeBSD developers can do about that. The orgs that made the browsers need to get their developers to add it into their respective browsers.
> 
> A number of them have done so though. Capsicum is a sandbox, if I am correct, and a number of apps now have it integrated into them. The FreeBSD team is also continuously working to get some services run on it.



So, people who use freebsd as their daily OS, they really use unsandboxed browsers? Isn't it a big security issue?


----------



## drhowarddrfine (Jul 28, 2019)

Pwkepkw Since NO browser has a sandbox you can use anywhere, what are you using?

Of course, what you are saying isn't true at all.


----------



## Lamia (Jul 28, 2019)

Running your browser in a virtualbox or a jail is more or less running it in a sandbox.


----------



## drhowarddrfine (Jul 28, 2019)

Lamia But that's not the subject.


----------



## Deleted member 30996 (Jul 28, 2019)

Pwkepkw said:


> So, people who use freebsd as their daily OS, they really use unsandboxed browsers? Isn't it a big security issue?



I use FreeBSD as my daily OS and don't consider it an issue. I use the HTTPS Everywhere, NoScript, Privacy Badger, Toggle Referrer, uBlock Origin and User-Agent Switcher extensions for Firefox, run my browser from the usr account only and am not the least bit worried.


----------



## Pwkepkw (Jul 31, 2019)

Other than running the browser in jail, is it possible to compile browser with capsicum backend?


----------



## unitrunker (Jul 31, 2019)

1. run it chroot'd
2. run it with super capsicumizer 9000
3. run it in a jail.

https://github.com/myfreeweb/capsicumizer

I'm curious what it would take to get X running in a jail.

Back to the browser - typing 'pgrep iridium' returns 8 or so process ids - so you have some process level sandboxing.

(iridium is a chromium derivative)


----------



## olli@ (Jul 31, 2019)

FWIW, Chrome (and chromium) put each tab in its own, separate process, so this is one level of sandboxing. Furthermore it's probably a good idea to run your browser inside a jail (probably with a different, non-privileged user ID). It's not perfect because it can still access your X server (this will be better with Wayland), but it should be sufficient for most purposes.


----------



## hukadan (Jul 31, 2019)

unitrunker said:


> I'm curious what it would take to get X running in a jail.


It is not too much work (if by that you mean running an X application in a jail -- here is the HowTo I wrote sometime ago) but as said by olli@ you still have to use X forwarding which reduces a lot the isolation provided by jails. I have been playing with x11/xpra lately in order to get ride of this X forwarding (IIRC, x11/xpra is used by the Subgraph Linux distribution for this very purpose). I still have to find a way to play videos smoothly though.


----------



## unitrunker (Jul 31, 2019)

This seems like a feature for the window manager. Anything launched from a window manager menu is automatically placed in a jail (or capsicumized or chroot'd). You have *really* isolated desktop environments.

X and Wayland both rely on shared memory to push pixmaps across processes. Otherwise, the pixmaps must be pushed over the wire which is much slower. That may be impacting your videos.


----------



## hukadan (Aug 1, 2019)

unitrunker said:


> This seems like a feature for the window manager.


Reading further, they use a launcher called Oz and use x11/xpra with Unix Domain Socket (may be a hint since I did not try yet using socket) for X applications.



unitrunker said:


> X and Wayland both rely on shared memory to push pixmaps across processes. Otherwise, the pixmaps must be pushed over the wire which is much slower. That may be impacting your videos.


As a simple user, my knowledge on the subject is not deep enough to even understand your sentence. But at least, I know where to look and read.


----------



## ShelLuser (Aug 1, 2019)

Features don't keep you safe, your actions do. Unless you;re using that browser as root I don't see how this could cause any issues.


----------



## tingo (Aug 2, 2019)

hukadan said:


> I have been playing with x11/xpra lately in order to get ride of this X forwarding


Thanks - I didn't know about xpra. A quite interesting tool.


----------



## hukadan (Aug 2, 2019)

Wozzeck.Live said:


> I use Windows since more than 40 years.....


Windows 1.0 was released in 1985. So unless you are back from the future, you can't have been using it for more than 40 years .


----------



## olli@ (Aug 2, 2019)

Wozzeck.Live said:


> I use Windows since more than 40 years.....


Do you mean Microsoft Windows? The first version was released in 1985, so that would be 34 years at most.


> I never got any viruses, I have never been hacked in any manner


Let's say you never _noticed_ you've been hacked. You'll never know for sure.

On several occasions I had to fix Windows PCs that had “undefined problems”. Turned out they were hacked and/or malware-infected, without their owner being aware of it. Typically the complaint was that “the internet is slow” or “the HDD lights up all the time”. They had no idea that their PC was sending 10,000 spam mails per minute.


> The main things : never run a browser in root mode


More importantly: Don't even log into your machine (or into the X server) as root. Even better, change the root account to have /usr/sbin/nologin as its login shell.


> And I personally recommend you to switch to Firefox.


Well, it's purely a matter of taste which browser you use. Personally I dislike Firefox. I use Chromium (Chrome) for most things. For simple web pages that don't require JavaScript I use Dillo, because it is much, _much_ faster than the other browsers, and more secure because it doesn't support JavaScript at all (but unlike lynx or w3m it is a graphical browser that supports CSS with images, tables etc.).


----------



## obsigna (Aug 2, 2019)

Pwkepkw, what do you expect to see below the given link, namely chrome://sandbox?

I got the most recent versions of chrome 76.0.3809.87 on Mac (German localization) and Windows (Portuguese localization), and I see only:

*Mac*



*Windows*



So what?


----------



## shkhln (Aug 2, 2019)

> Why don't browsers use sandbox on FreeBSD?



The actual intellectually honest answer: some things are written against Linux-specific interfaces and it takes time and effort to port (or rewrite) them. There are no other reasons.



Wozzeck.Live said:


> The main things : never run a browser in root mode



Protecting root isn't all that important when all your valuable information is stored under your regular user account.


----------



## George (Aug 2, 2019)

I think Chromium uses the "sandbox" feature, unless you specify the "--no-sandbox" command line option.

https://chromium.googlesource.com/chromium/src/+/master/docs/design/sandbox.md


----------



## drhowarddrfine (Aug 2, 2019)

shkhln said:


> The actual intellectually honest answer


The actual answer is that NO browser runs sandboxed unless you, the user, sandbox it. As already stated, browsers sandbox their tabs within the browser. The original question assumes all other operating systems sandbox the browser. The reality is, as I already said, NO operating system does this!


----------



## shkhln (Aug 2, 2019)

I'm talking about unimplemented features in general, but if you want to pick an internet fight around the definition of the word "sandbox", you sure can.



drhowarddrfine said:


> The actual answer is that NO browser runs sandboxed unless you, the user, sandbox it.


Am I supposed to implement this myself?



drhowarddrfine said:


> As already stated, browsers sandbox their tabs within the browser.


Firefox explicitly doesn't do this. There is a limited pool of content processes.



drhowarddrfine said:


> The original question assumes all other operating systems sandbox the browser.


Nope. The original question talks about `pkg info -D firefox` message. Go read it.



drhowarddrfine said:


> The reality is, as I already said, NO operating system does this!


Ok.


----------



## unitrunker (Aug 2, 2019)

There may be some confusion on running a sandboxed app vs.keeping bits of javascript for mucking with other sites.


----------



## xtremae (Aug 2, 2019)

Pwkepkw said:


> Although it doesn't give any message, chromium or iridium doesn't have any sandbox too. chrome:sandbox gives me a blank page.


The page is blank because unlike other platforms, neither of those browsers is officially supported on FreeBSD, they are ports. On supported platforms (like Linux), they use platform specific extensions like network and PID namespaces (which if I'm not mistaken were created by Google), seccomp-bpf, SELinux, etc.


----------



## Deleted member 9563 (Aug 3, 2019)

Wozzeck.Live said:


> I use Windows since more than 40 years.....


Windows 1.0 came out 32 years ago. (November 20, 1985) Although the first smoothly working version was 3.1 which came out in 1992. (27 years ago)

But yeah, those early versions are kinda fun nowadays. I especially like 3.0 on a TTL monitor - very cool.


----------



## drhowarddrfine (Aug 3, 2019)

shkhln said:


> Firefox explicitly doesn't do this.


Then one of us is confused and, looking through some of the replies, it seems we're not all on the same page, but Firefox explicitly does sandbox tabs.
Didn't check to see if this was related: Mozilla Sandbox


----------



## George (Aug 3, 2019)

`pkg info -D firefox`


```
firefox-68.0.1:
Always:
======================================================================

Some features available on other platforms are not implemented:
...
- Process sandboxing (requires Capsicum backend)
...
```


----------



## Pwkepkw (Aug 6, 2019)

Elazar said:


> `pkg info -D firefox`
> 
> 
> ```
> ...



Thanks for showing this.

I mean, everyone suggested to run the browser in jail, But I think it's hard to understand configuring jails. And apparently the browser doing the same thing by default on the linux.


----------



## Deleted member 30996 (Aug 7, 2019)

Pwkepkw said:


> I mean, everyone suggested to run the browser in jail,



What exactly are you afraid you're going to pick up? JavaScript trojan? My extensions cover all that. A jail is overkill IMO.

I still occasionally go to what used to be my favorite site online. Content was lost, the owner became more interested in click revenue and none too picky who he sold ad space to. In the past it was Google flagged as downloading malware and reported to have infected fellow forum members Windows machines. I never saw the red Google page, script driven ads, their payload, worried about being infected or stopped going due to that.


I wasn't as lucky as Wozzeck.Live with my WIn98 machine. My old chat m8t's used to be able to crash my browser at will. I'd log back into chat and they could tell me what AntiVirus software I was using and laugh about it. I'd unplug my modem and reformat. That had to change and did in my favor. It's why I'm here and where I am today. And why at times I may seem overzealous about Internet Security.

I owe them a great debt and often think fondly of them. They don't share the sentiment. As long as they don't bother me anyplace else I don't bother them in chat and that's worked fairly well for the past 20 years or so. I had to show up a couple years ago when they tested my patience. They knew who I was, what Jigoku meant and why I was there. Seeing me there was anything but funny to them, that's all it took. I left without another word and took Hell with me.


----------



## shkhln (Aug 7, 2019)

Trihexagonal said:


> What exactly are you afraid you're going to pick up?



Let me restate the original question in a bit more relatable way. Suppose the aforementioned Capsicum backend for Firefox is finally implemented. Would you be comfortable with saying something like "Meh, FreeBSD doesn't need this. I feel safe enough as it is". Would you _disable_ it?



Trihexagonal said:


> JavaScript trojan?



FWIW, I also use NoScript. First, apparently WebExtensions are a bit flaky and (post-XUL) Firefox occasionally silently disables it until restart. Second, NoScript itself tends to allow small javascript snippets (such as inline onclick handlers in html), while reporting javascript being completely disabled.


----------



## shkhln (Aug 7, 2019)

As for what process sandbox is actually supposed to contain… Consider the newer web APIs such as WebGL or WebUSB (yep), or whatever. Each of this APIs requires a javascript binding to yet another C library, which means more potential VM escape exploit opportunities. Then there is Widevine and similar DRM technologies, available without source code. No sense in running that with full access to user files either.


----------



## Deleted member 30996 (Aug 7, 2019)

shkhln said:


> Let me restate the original question in a bit more relatable way. Suppose the aforementioned Capsicum backend for Firefox is finally implemented. Would you be comfortable with saying something like "Meh, FreeBSD doesn't need this. I feel safe enough as it is". Would you _disable_ it?



It's doubtful I would disable it but feel safe with my current config after I dig through about:config. As long as we don't adopt a GUI I'm good with about anything. NoScript claims to beat Specter and Meltdown. I've never been afraid to go to any site no matter what it was hosting as far as being infected or compromised. I'm no stranger to Russian sites and have visited many. That's where the music never stops playing. I would made a day of it listening to Britney Spears fast as I could go.

I go to very few sites anymore, 3-4 regular sites and to check on mine unless I'm researching something, so the chances of me being exploited are less likely now than ever. I gave up word games, I dominate those forums as it is. I don't work on Demonica anymore or visit that community. She can take care of herself and they rarely post their bot  transcript since seeing mine,

I haven't used a sandbox application since Windows XP or Vista. I looked to find the name and see that Windows10 has a sandbox feature. I never did feel safe using Win10Pro. Even after doing everything within my power to lock it down still felt like I was vulnerable to exploit the whole time I was online. I accidentally installed FreeBSD on that HDD but am happier with Win7 on the same laptop since the only thing I do on Windows is play Oblivion and it stays offline.





shkhln said:


> FWIW, I also use NoScript. First, apparently WebExtensions are a bit flaky and (post-XUL) Firefox occasionally silently disables it until restart. Second, NoScript itself tends to allow small javascript snippets (such as inline onclick handlers in html), while reporting javascript being completely disabled.



I've used Firefox since it came out and the selling point was quick loading. I hate FireFox Quantum Strangeness and what it's done to my extensions.

I'm sure it sends a list of which extensions you have installed back home. I found it before but too tired to look my rant up now. DownLoadThemAll! Mass Downloader was not something I would have chosen to advertise I had installed on my machine. Sounds like something a Pirate would use... ☠

I check NoScript at virtually every site I visit and have never seen it been disabled without my knowledge. Can you provide a link to show it allows small JS snippets?

It's the reason I was alerted to an IP belonging to my ISP wanting JS enabled when I visited some new sites. I made a pf rule to block incoming from that IP#. Later that night it alerted me that IP# was still showing up and I had to make a block outgoing rule to defeat it. Probably due to snooping the throttled 30GB download package I didn't agree to they signed me up for anyway.


----------



## Deleted member 9563 (Aug 7, 2019)

Trihexagonal said:


> I've never been afraid to go to any site no matter what it was hosting as far as being infected or compromised. I'm no stranger to Russian sites and have visited many.


Same here. I have always gone to any site my little heart desired. It is possible that I have some bad choice in my security related settings, but in any case I don't think that a malicious site would look like it was malicious if they were serious about compromising a slightly more advanced user than average.

As for the Russian thing, that's a bit of a joke nowadays.   I agree that there are lots of Russian sites that are good and relevant to us in the West. But apart from that, I use dot ru domains specifically because of the cachet (and because they're cheap).  http://slumlord.ru is mine, for example. That's hosted in USA, but I also host sites on a server in Moscow. I'm not even vaguely Russian otherwise. It's all in good fun, and just goes to show that the very popular term "Russian sites" does not actually have an internet related definition.


----------



## Beastie (Aug 7, 2019)

Trihexagonal said:


> I wasn't as lucky as Wozzeck.Live with my WIn98 machine. My old chat m8t's used to be able to crash my browser at will. I'd log back into chat and they could tell me what AntiVirus software I was using and laugh about it. I'd unplug my modem and reformat.


Ah, the golden age of script kiddies and their two favorite tools, Sub7 and Back Orifice, and the wonderfully secure Windows 98/SE/ME!!! The nineties were such a piece of s great decade!


----------



## kpedersen (Aug 7, 2019)

Pwkepkw said:


> I mean, everyone suggested to run the browser in jail, But I think it's hard to understand configuring jails.



I suppose because I use them daily, jails are pretty much there and set up. However I can see your point that they might be a bit of a faff to use *just* for a web browser.

I think if you just make a new user account specifically for web browsing, then use something like `sudo` to log in and run the web browser as that user, you will generally be pretty safe. With some scripting you can even reset the profile after each session.

That said... Jails are a great thing to learn if you have time


----------



## Deleted member 30996 (Aug 7, 2019)

OJ said:


> As for the Russian thing, that's a bit of a joke nowadays.   I agree that there are lots of Russian sites that are good and relevant to us in the West.



These sites were in Cyrillic with maybe a little English interspersed. One was a Russian speaking only forum where kind people shared locally recorded Russian folk songs en mass. I don't read Cyrillic but know how a forum and websites work so can make my way around. 




Beastie said:


> Ah, the golden age of script kiddies and their two favorite tools, Sub7 and Back Orifice, and the wonderfully secure Windows 98/SE/ME!!! The nineties were such a piece of s great decade!



I'll always think of Win98 as the Swiss Cheese of Operating Systems. I had ran an AppleII but the only thing I knew how to do with my shiny new Gateway when I set it up was press the power button to turn it on. It was all new to me but taught me the importance of learning about Internet Security. I started looking at Linux Live CD's and eventually found a FreeBSD variant that got me to the desktop. I took it from there.

It's not 1337 h4x0r skills they phear, it's the havoc I can cause in a chatroom. I'd been there 4-5 days playing games before I got tired of it and made myself known.


----------



## Phishfry (Aug 7, 2019)

I don't think a browser needs a sandbox. Unzipping files from the internet does.


----------



## Deleted member 9563 (Aug 8, 2019)

Phishfry said:


> I don't think a browser needs a sandbox. Unzipping files from the internet does.


I think that basically nails the subject of this thread.


----------



## shkhln (Aug 8, 2019)

Trihexagonal said:


> Can you provide a link to show it allows small JS snippets?



I don't have any examples. I might have misinterpreted "Attempt to fix JavaScript links" or "Script Surrogates" features.


----------



## shkhln (Aug 8, 2019)

OJ said:


> I think that basically nails the subject of this thread.



I don't think shoot-the-messenger attitude will do us any good.


----------



## Deleted member 9563 (Aug 8, 2019)

shkhln said:


> I don't think shoot-the-messenger attitude will do us any good.


Can you explain what you mean by that? I don't use a sandbox for my browser so I'm not familiar with its use as a messenger, or what information I could glean from it that I might need.


----------



## shkhln (Aug 8, 2019)

OJ said:


> Can you explain what you mean by that?



Even if _you_ don't understand the importance of exploit mitigation, the Firefox port maintainer apparently thought it was important enough to mention it in the package notes. That alone should be enough of an argument against knee-jerk dismissals.


----------



## hukadan (Aug 8, 2019)

kpedersen said:


> I think if you just make a new user account specifically for web browsing


This is the recommanded way according to the DragonFlyBSD Handbook : https://www.dragonflybsd.org/docs/handbook/RunSecureBrowser/


----------



## Pwkepkw (Aug 8, 2019)

Trying to compensate the lack of security by plugins like NoScript,uMatrix or uBlock is not the thing I would do. It's like covering all window spaces with tape while all of them is open.


(Firefox for Windows)




AFAIK, The sandbox is not only for keeping browser exploits away from the computer, it does protect individual tabs from each other too. This is how it works on Windows. I don't know how UNIX is different, though.





__





						FreeBSD does not have ASLR -  		 		Phoronix Forums
					

Anything off-topic.



					www.phoronix.com
				












						FreeBSD gets ASLR
					

Implement Address Space Layout Randomization (ASLR) With this change, randomization can be enabled for all non-fixed mappings. It means that the base address for the mapping is selected with a guar…




					firmwaresecurity.com
				




FreeBSD got ASLR.., in 2019.


----------



## getopt (Aug 8, 2019)

Pwkepkw said:


> FreeBSD got ASLR.., in 2019.


Thank you for pointing to the long awaited ASLR.


			
				https://wiki.freebsd.org/ASLR said:
			
		

> *Address Space Layout Randomization (ASLR)*
> 
> Support for Address Space Layout Randomization was added in FreeBSD HEAD (13-CURRENT) in base r343964. It is _disabled_ by default.
> 
> ...


Please be advised that 13-CURRENT is NOT YET a supported version.
If there is any doubt about this see https://www.freebsd.org/releases/
For announcements it is advisable to use the official ones.


----------



## shkhln (Aug 8, 2019)

Pwkepkw said:


> Trying to compensate the lack of security by plugins like NoScript,uMatrix or uBlock is not the thing I would do. It's like covering all window spaces with tape while all of them is open.



Hey, NoScript is very handy for blocking popups, autoplaying videos, animated advertisements and all kinds of junk. I wouldn't describe experience as inconvenient at all.



Pwkepkw said:


> AFAIK, The sandbox is not only for keeping browser exploits away from the computer, it does protect individual tabs from each other too. This is how it works on Windows. I don't know how UNIX is different, though.



Tabs are protected from each other by browser security policy, which is enforced on javascript VM level. Process sandbox is an _additional_ layer of isolation on top of that. Exploits are pretty much its only concern.


----------



## kpedersen (Aug 8, 2019)

shkhln said:


> Hey, NoScript is very handy for blocking popups, autoplaying videos, animated advertisements and all kinds of junk. I wouldn't describe experience as inconvenient at all.



Agreed, whilst it will not solve all security issues; it makes many sites actually bearable 

That said, I know nothing about the guys behind this plugin or uBlock Origin so I imagine there is scope for some info slurping through these two.
A brief look at it now suggests that uBlock is already getting a little seedy in terms of competing implementations trying to pretend to be the main one.


----------



## Deleted member 30996 (Sep 4, 2019)

Trihexagonal said:


> I hate FireFox Quantum Strangeness and what it's done to my extensions.
> 
> I'm sure it sends a list of which extensions you have installed back home.



I was right. www/firefox-esr now has personalized extension recommendations:



> To better predict what extensions you may find interesting, Firefox uses the Telemetry-Aware Add-on Recommender (TAAR) system—a Mozilla service that recommends extensions by examining basic browser Telemetry. This means TAAR analyzes usage statistics from a large number of other Firefox users, looks at other extensions you may have installed, and considers general characteristics about your Firefox profile (like language preference). Based on this information, TAAR surfaces extension recommendations tailored just for you.



You can opt out but it's enabled by default.

I just finished updating it and it's already crashed once trying to post this.


----------

