tag:blogger.com,1999:blog-2097135883039084989.post-82613201120317217432007-10-09T08:19:00.000-07:002007-10-09T09:03:22.647-07:00A simple trick to improve Firefox securityFirefox can run with add-ons disabled and what not, but if you run Firefox under Gentoo Linux, using the hardened profile, you can use a simple trick to have two different instances of Firefox available, with different enforcement of memory permissions and the usual PaX features:<br /><br />PaX features disabled via <code>PT_PAX_FLAGS</code>, will allow most plugins to run without issues (although, for example acroread will require specific permissions on its own binary to run):<br /><br /><code>paxctl -pemrxs /usr/lib/mozilla-firefox/firefox-bin</code><br /><br />Recommended settings (that might slow down Firefox in some systems, with noticeable overhead when there's a heavy use of Javascript or AJAX functionality):<br /><br /><code>paxctl -PEmRXs /usr/lib/mozilla-firefox/firefox-bin</code><br /><br />For Acrobat Reader (only Address Space Layout Randomization -ASLR- can be enabled without affecting the functionality, blame the poorly compiled binary):<br /><br /><code>paxctl -pemRXs /opt/Acrobat7/Reader/intellinux/bin/acroread</code><br /><br />You should try to use a different PDF application anyway, if you really trust any of them :)<br /><br />Description of the <code>PT_PAX_FLAGS</code> flags:<br /><pre><br />PaX control v0.4<br />Copyright 2004,2005,2006 PaX Team <pageexec@freemail.hu><br /><br />usage: paxctl <options> <files><br /><br />options:<br /> -p: disable PAGEEXEC -P: enable PAGEEXEC<br /> -e: disable EMUTRMAP -E: enable EMUTRMAP<br /> -m: disable MPROTECT -M: enable MPROTECT<br /> -r: disable RANDMMAP -R: enable RANDMMAP<br /> -x: disable RANDEXEC -X: enable RANDEXEC<br /> -s: disable SEGMEXEC -S: enable SEGMEXEC<br /><br /> -v: view flags -z: restore default flags<br /> -q: suppress error messages -Q: report flags in short format<br /> -c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!)<br /> -C: create PT_PAX_FLAGS (see manpage!)<br /></files></options></pageexec@freemail.hu></pre><p>Simply copy the <code>firefox-bin</code> binary to <code>firefox-secure</code> and apply the different flags as necessary.<br /></p>John Doenoreply@blogger.com