Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Can one use internet in a sandbox environment?
(A part of the system is always offline so that there no chances of a virus from the internet)
The options I got from searching are
1. chrooting or FreeBSD jail
2. Using a docker container
3. Type1 hypervisors (directly run on the physical hardware) like Linux KVM
4. Type2 hypervisors (run as an application on an existing operating system) like Oracle VirtualBox
5. Block internet for the root user in Linux and allow internet only for other users.
But it looks like if you enable internet connection for non-root user then the root user is automatically connected to the internet (I maybe wrong).
I have tried using some commands (THERE MAYBE RISK INVOLVED IN DOING SO) like:
sudo iptables -A OUTPUT -m owner --uid-owner {USERNAME} -j REJECT (replacing USERNAME with root)
but I had to restart the system to enable the internet connection again.
I think the option 4. maybe the best but I would like to know more details such as whether there could be any interaction/data transmission between two KVMs.
Note: I decided to create thread in General sub-forum than Virtualisation sub-forum as there are other points for discussion too.
One could run a fully updated usb drive that didn't let the host disk get mounted automatically I'd think would secure it more.
Do you mean storing important files for offline use on a usb drive rather than on the system?.
If I need to copy some files from the system (which has internet access) to the usb then is there a way to be 100% sure that the usb won't be affected by a virus?
I understand that preventing automatic mounting of your secure drive would prevent any infection.
I would go one step further (I hope this is ok)
How would one transfer data from an internet-enabled device to a offline device/disk and make sure that the offline device/disk is not infected? (only the offline device can access (read/write) from the internet-enabled device and not the other way)
I am giving a scenario: (Devices: PC Hard Disk having important files for offline use, USB Device for data transfer and Mobile Device which has internet connection)
1. I have a hard disk that is offline (Linux OS).
2. I use a mobile device for internet, gather some data and transfer that to a usb device (via OTG).
3. I have to mount the usb device to the hard disk since I need the gathered data.
4. Give read and write permission to the usb.
5. I copy the gathered data from usb to the hard disk. Use/process the data as per needs
6. I write some data back to the usb if needed.
7. Connect usb to the mobile device if needed.
Data from mobile --> usb --> Hard disk
Data from Hard disk --> usb --> Mobile
How do I make sure that only the hard disk can read and write to the usb device and prevent the usb to read/write any hard disk data?
This is the big issue of security. You can't be fully sure. You can't take untrusted outside data and ever get it close to inside secure data. Defeats the entire gap process.
Just make a less secure system and keep secure system walled.
If you're not a command line user, there's a GUI front-end called firetools
PDFs you download from the internet can "phone home" via embedded I-frames... You can prevent that too with firejail by opening up PDFs in a sandbox and denying it network access:
How would one transfer data from an internet-enabled device to a offline device/disk and make sure that the offline device/disk is not infected? (only the offline device can access (read/write) from the internet-enabled device and not the other way)
Look into a WORM device (Write Once Read Many) their mainly used to store log files to ensure they dont get altered.
Last edited by young_jedi; 03-28-2019 at 11:00 PM.
This is the big issue of security. You can't be fully sure. You can't take untrusted outside data and ever get it close to inside secure data. Defeats the entire gap process.
Just make a less secure system and keep secure system walled.
Yes, incase the usb device has an exe file virus which runs automatically when mounted (for Windows OS). Even multimedia and other files can have a virus.
But taking extreme precautions I think we can still prevent infection.
Example: If I need to just copy a user-created .txt file (no hidden extension) from the usb device to the hard disk, then there is no chance of a virus infecting the hard disk as a simple .txt file cannot have a virus.
If someone can answer this question (which I have posted previously) then it would greatly helpful!
How do I make sure that only the hard disk can read and write to the usb device and prevent the usb to read/write any hard disk data?
Quote:
Originally Posted by young_jedi
This will open Firefox in a sandboxed environment and dispose of files saved in the temporary /home directories created by the --private argument.
If you're not a command line user, there's a GUI front-end called firetools
PDFs you download from the internet can "phone home" via embedded I-frames... You can prevent that too with firejail by opening up PDFs in a sandbox and denying it network access:
Look into a WORM device (Write Once Read Many) their mainly used to store log files to ensure they dont get altered.
Thanks young_jedi for the useful information.
I am assuming that you are suggesting to use a WORM device to store important data which cannot be altered. Even though the data cannot be modified it can still be read and hence it can be stolen (correct me if wrong).
I am assuming that you are suggesting to use a WORM device to store important data which cannot be altered. Even though the data cannot be modified it can still be read and hence it can be stolen (correct me if wrong).
Think of it as a dropbox where you drop stuff into it, but you cant look inside.. Only user's with the proper permissions (e.g. root or a sudo user) should be able to get accesss to those files (unless they can mount your drive when you're not using it; in that case make sure its encrypted via full disk encryption)..
Last edited by young_jedi; 03-29-2019 at 11:56 PM.
No. There is no need to wear protective suits all the time, only when the occasion demands.
i cannot imagine what occasion would demand running a browser in sandbox software on a windows vm.
i would ask you to elaborate, but probably you want to keep that secret.
i guess i just never visit such sites.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.