Thanks Tadaen.
Type: Posts; User: vbgf3; Keyword(s):
Thanks Tadaen.
" Learn to do it the proper way. It's much easier to manage. ". Remember I am constrained by how Ubuntu is setup to work by default. My finding is that sudo does not entirely constrain Gnome in...
Gnome uses polkit in addition to sudo to control the things that can be done in Gnome. To see the list of action.id it additionally defined, look at the policy files in /usr/share/polkit-1/actions/ ....
Hi Everyone,
A standard user in Ubuntu does not automatically obey the least privilege principle.
You have to do 2 things:
a. Deny sudo. So that the user cannot use sudo to accomplish...
Hi,
I don't understand why you said "Figuring out which directory a program is being run from with 90% accuracy iis really easy. But the last 10% of possible cases is really ugly. "
I use...
The "old style unix coding practice' I should have explained more on. I was referring to the way the main Firefox app relies on system bins as helpers to perform a core function - like initializing...
a. It is written in the old style unix coding practice. It relies on an army of helpers in /bin, especially on initialization. Although the included Apparmor profile lists them out, thus identifying...
Hi
I found my answer. It requies 2 steps.
A. Use visudo and add this line to deny user2 from doing anything using sudo
user2 ALL=(ALL) !ALL
B. Add a deny all user2 actions rule file...
Hi,
This is regarding Ubuntu 24.04, but should apply also to 22.04.
Currently user2 - a standard user, can edit a file owned by root using gnome-text-editor, and then save it successfully by...
Hi DuckHook,
You have an interesting work around there. A compartmentalized firefox will contain an intrusion, But the attack will still work, definitely now because there is no apparmor profile. ...
Hi,
I find the apparmor profile snap.firefox.firefox insecure in that it allows read access to the whole drive and the entire home directory. The @{HOME}/Documents directory should be denied...
In addition, there is TeamViewer Free for Linux, And it has 2FA . The password can be made to be valid for 1 time use only.
The attacker did it again. He slipped an package to me while I was upgrading. I am sure he didn't modify the ppa, he only sent me a file, maybe spoofing the source ip, and Ubuntu swallowed it whole....
Hi,
I am having a strange problem. I copied my ssh-keygen's pub file to usb stick and copied it to April's Windows folder as \Users\April\.ssh\authorized_keys.
When I ssh -vvv...
Clicking on ../ from https://mirror.fcix.net/ubuntu? reveals this page: https://mirror.fcix.net/ and it says it is spoonsered by: Fremont Cabal Internet Exchange
Just in case you are wondering, I copied the PPA from Ubuntu mirrors web site. Here's what unversity of waterloo is saying now:
Well, after posting the above address in my apt.conf, the attackers have resorted to blocking the pub key, I get this error:
I guess somehow now they have blocked the pub key. I won't be...
Hi,
I have a particular Ubuntu https apt update mirror that I want to use. And I want to verify it's connection. In particular I want to forbid connections to any other mirror.
I have modified...
Hi,
I have modified ufw's before.rules to block incoming d-port 68, Yet DHCP settings on Wire Connection still works? Why?
Yes, now I see that it is listen on local 127. My mistake.
Hi,
Did a netstat -tunlp today and found port 53 is a listening port. Did a little digging around and found it is resolv in /etc/systemd . Isn't running a service dangerous? If so, why is Ubuntu...
Did you do a 'sudo apparmor_parser -r <firefox profile> to activate the profile ?
A minimalist apparmor profile as a profile is supposed to be.
and this one:
I currently have the entire run directory open for read write:
Which I know is wrong and allowing too much rights. But Chrome doesn't connect to the internet unless I...
Hi,
I have spent a day or so looking at firejail.
Compared to my bwrap script, my bwrap script seems to do more. Since bwrap uses namespaces and you can choose which folders to bring into the...