If you like what I do, send me some Monero:

87ZN8URUY1M6GoXpxou4siDKJkLbLKDhT2RScrauzd4gbRyKgoY2ZX3Ut9WuMtkWebisViSE9EVRzVA1SD4kMdtAUPMiZBC

  • 39 Posts
  • 959 Comments
Joined 9 months ago
cake
Cake day: April 11th, 2024

help-circle













  • Yeah because Flatpak firefox is damn insecure!

    Please dont use it. Firefox devs dont care. Flatpak restricts browsers from spawning “user namespace” sandboxes for filesystem isolation.

    Chromium uses a fork server (zygote) and breaks when it cannot spawn these sandboxes. So developers created zypak, which allows to isolate processes using bubblewrap, the Flatpak sandbox.

    Firefox just runs without a sandbox, and doesnt have a fork server, so nobody cares.

    Without process isolation, you have less duplicated content. This saves space but IT IS INSECURE.

    Please use a non-Flatpak Firefox version.

    There is no reason why a “Zen Browser” should use less RAM than Firefox.


    • use a non sudo user for the user
    • somehow get the IP address of that laptop all the time. There are dynDNS solutions like this where the client just needs to automatically download a certain file daily and you know his IP, my implementation is here.
    • have ssh access to root with a ssh key. The usual hardening, fail2ban, block using passwords
    • open the port for ssh on the clients system

    If something goes wrong, login via ssh (you know the dynamically changing IP) and remove a directory or the entire user.

    You cannot avoid that a user would copy files from there to a usb stick. Well you could, by using usbguard. Works really well in my experience, just prevent nonsudo users from adding new devices.

    And then you need to prevent the user from booting another system, or taking out the SSD and reading it. TPM and boot lock is the right thing here, what Max-P wrote.