-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What's the best way to start fdns instances for firejail as a user? #51
Comments
Interesting topic. I do indeed think
|
I'm need to read more about polkit. Anyway, here is my first attempt. Actually a rule for pkexec in enough to execute
polkit.addRule(function(action, subject) {
var re = new RegExp("^/usr/bin/fdns --proxy-addr=127\\.70\\.74\\.[0-9]{1,3}( --whitelist=[A-Za-z0-9._-]+)*$");
if (action.id === "org.freedesktop.policykit.exec" &&
action.lookup("program") === "/usr/bin/fdns" &&
re.test(action.lookup("command_line")) &&
subject.user === "rusty-snake" && subject.local && subject.active) {
return polkit.Result.YES;
}
}); NOTE: This does not work for Debian/Ubuntu because they still ship polkit 0.105 which uses PKLA-rules. Apparently they have some security concerns about using Javascript for that. But I can't understand it, javascript is the first word that comes to my mind when I hear security 🤡. |
Ok, I go with polkit. [UPDATE: https://github.com/rusty-snake/fdns4users#example-for-polkit] polkit.addRule(function(action, subject) {
const USER = "john";
const PROGRAM = "/usr/bin/fdns";
const IP = "127\\.70\\.74\\.[0-9]{1,3}";
const PROXY_ADDR = `--proxy-addr=${IP}`;
const WHITELIST = `--whitelist=[A-Za-z0-9._-]+`;
const ZOM_WHITELIST = `( ${WHITELIST})*`;
const RE = new RegExp(`^${PROGRAM} ${PROXY_ADDR}${ZOM_WHITELIST}$`);
// Debugging: uncomment to see the final RegExp
//polkit.log(RE.toString());
if (action.id === "org.freedesktop.policykit.exec" &&
action.lookup("program") === PROGRAM &&
RE.test(action.lookup("command_line")) &&
subject.user === USER && subject.local && subject.active) {
return polkit.Result.YES;
}
}); #!/bin/bash
PROXY_ADDR=127.70.74.68
FDNS_LOG_FILE="$HOME/fdns-log.txt"
ALLOWED_DOMAINS=(example.com)
whitelist=()
for domain in "${ALLOWED_DOMAINS[@]}"; do
whitelist+=("--whitelist=$domain")
done
echo -e "\n\n===> fdns --proxy-addr=$PROXY_ADDR ${whitelist[@]} <===\n" >> $FDNS_LOG_FILE
pkexec fdns "--proxy-addr=$PROXY_ADDR" "${whitelist[@]}" >> $FDNS_LOG_FILE &
sleep 2s
firejail --dns=$PROXY_ADDR thunderbird
kill $(jobs -p) |
Wait, I can not kill processes belonging to an other user. |
If want to use fdns together with
firejail --dns
, so that a sandbox has it's own resolver. You need to get root to start fdns. That's a bit annoying if you need to enter your PW and bad to script if you use sudo. So what can be done to do this automatically.obvious: add a
NOPASSWD
rule to sudo. However you wound need to create new rules for every used--withelist
argument because sudo has no support for regexp and*
matches everything (including spaces). Example rule:john ALL=(ALL) NOPASSWD: /usr/bin/fdns --proxy-addr=127.70.74.[0-9]
I created a heavy SUID-binary which starts fdns https://github.com/rusty-snake/fdns4users. However, that's still no good solution as you don't want more suids on your system.
Has anyone found a good solution? Polkit maybe.
The text was updated successfully, but these errors were encountered: