diff options
author | netblue30 <netblue30@protonmail.com> | 2022-08-14 09:29:04 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-08-14 09:29:04 -0400 |
commit | e7dccf7a547dae2ecf13775f2a950dee68a638c7 (patch) | |
tree | cae4e3ffa06a2eaaacaa3802970cf579c323e2d8 /src | |
parent | Merge pull request #5285 from ra1nb0w/vmware-snapshot (diff) | |
parent | docs: mention risk of SUID binaries and also firejail-users(5) (diff) | |
download | firejail-e7dccf7a547dae2ecf13775f2a950dee68a638c7.tar.gz firejail-e7dccf7a547dae2ecf13775f2a950dee68a638c7.tar.zst firejail-e7dccf7a547dae2ecf13775f2a950dee68a638c7.zip |
Merge pull request #5290 from kmk3/docs-suid-firejail-users
docs: mention risk of SUID binaries and also firejail-users(5)
Diffstat (limited to 'src')
-rw-r--r-- | src/man/firejail.txt | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index b783795f2..d02c5f14a 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -67,6 +67,17 @@ Firejail allows the user to manage application security using security profiles. | |||
67 | Each profile defines a set of permissions for a specific application or group | 67 | Each profile defines a set of permissions for a specific application or group |
68 | of applications. The software includes security profiles for a number of more common | 68 | of applications. The software includes security profiles for a number of more common |
69 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. | 69 | Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc. |
70 | .\" TODO: Explain the security/usability tradeoffs from #4601. | ||
71 | .PP | ||
72 | Firejail is currently implemented as an SUID binary, which means that if a | ||
73 | malicious or compromised user account manages to exploit a bug in Firejail, | ||
74 | that could ultimately lead to a privilege escalation to root. | ||
75 | To mitigate this, it is recommended to only allow trusted users to run firejail | ||
76 | (see firejail-users(5) for details on how to achieve that). | ||
77 | For more details on the security/usability tradeoffs of Firejail, see: | ||
78 | .UR https://github.com/netblue30/firejail/discussions/4601 | ||
79 | #4601 | ||
80 | .UE | ||
70 | .PP | 81 | .PP |
71 | Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/) | 82 | Alternative sandbox technologies like snap (https://snapcraft.io/) and flatpak (https://flatpak.org/) |
72 | are not supported. Snap and flatpak packages have their own native management tools and will | 83 | are not supported. Snap and flatpak packages have their own native management tools and will |