LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 03-25-2019, 08:06 AM   #1
ce309
LQ Newbie
 
Registered: Mar 2019
Posts: 6

Rep: Reputation: Disabled
Using internet in a sandbox environment


Can one use internet in a sandbox environment?
(A part of the system is always offline so that there no chances of a virus from the internet)

The options I got from searching are
1. chrooting or FreeBSD jail
2. Using a docker container
3. Type1 hypervisors (directly run on the physical hardware) like Linux KVM
4. Type2 hypervisors (run as an application on an existing operating system) like Oracle VirtualBox
5. Block internet for the root user in Linux and allow internet only for other users.
But it looks like if you enable internet connection for non-root user then the root user is automatically connected to the internet (I maybe wrong).

I have tried using some commands (THERE MAYBE RISK INVOLVED IN DOING SO) like:
sudo iptables -A OUTPUT -m owner --uid-owner {USERNAME} -j REJECT (replacing USERNAME with root)
but I had to restart the system to enable the internet connection again.


I think the option 4. maybe the best but I would like to know more details such as whether there could be any interaction/data transmission between two KVMs.

Note: I decided to create thread in General sub-forum than Virtualisation sub-forum as there are other points for discussion too.
 
Old 03-25-2019, 03:43 PM   #2
jefro
Moderator
 
Registered: Mar 2008
Posts: 18,923

Rep: Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836
Hello and welcome to LQ.

Yes.

One can't prove that all your choices are 100% secure to the host.

One could run a fully updated usb drive that didn't let the host disk get mounted automatically I'd think would secure it more.
 
Old 03-25-2019, 11:26 PM   #3
ce309
LQ Newbie
 
Registered: Mar 2019
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by jefro View Post
One could run a fully updated usb drive that didn't let the host disk get mounted automatically I'd think would secure it more.
Do you mean storing important files for offline use on a usb drive rather than on the system?.

If I need to copy some files from the system (which has internet access) to the usb then is there a way to be 100% sure that the usb won't be affected by a virus?
 
Old 03-27-2019, 03:41 PM   #4
jefro
Moderator
 
Registered: Mar 2008
Posts: 18,923

Rep: Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836
What I meant was to boot from a usb flash drive. Keep it from mounting any of your secure drives. Keep it fully updated.

A normal install to a usb will create an install as if it were a real hard drive on almost all modern distro's.
 
Old 03-28-2019, 11:00 AM   #5
ce309
LQ Newbie
 
Registered: Mar 2019
Posts: 6

Original Poster
Rep: Reputation: Disabled
Thanks jefro for elaborating.

I understand that preventing automatic mounting of your secure drive would prevent any infection.

I would go one step further (I hope this is ok)

How would one transfer data from an internet-enabled device to a offline device/disk and make sure that the offline device/disk is not infected? (only the offline device can access (read/write) from the internet-enabled device and not the other way)

I am giving a scenario: (Devices: PC Hard Disk having important files for offline use, USB Device for data transfer and Mobile Device which has internet connection)
1. I have a hard disk that is offline (Linux OS).
2. I use a mobile device for internet, gather some data and transfer that to a usb device (via OTG).
3. I have to mount the usb device to the hard disk since I need the gathered data.
4. Give read and write permission to the usb.
5. I copy the gathered data from usb to the hard disk. Use/process the data as per needs
6. I write some data back to the usb if needed.
7. Connect usb to the mobile device if needed.

Data from mobile --> usb --> Hard disk
Data from Hard disk --> usb --> Mobile

How do I make sure that only the hard disk can read and write to the usb device and prevent the usb to read/write any hard disk data?
 
Old 03-28-2019, 03:08 PM   #6
jefro
Moderator
 
Registered: Mar 2008
Posts: 18,923

Rep: Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836Reputation: 2836
This is the big issue of security. You can't be fully sure. You can't take untrusted outside data and ever get it close to inside secure data. Defeats the entire gap process.

Just make a less secure system and keep secure system walled.
 
1 members found this post helpful.
Old 03-28-2019, 06:47 PM   #7
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 19.1 MATE
Posts: 7,510
Blog Entries: 2

Rep: Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639
Browser running in Sandboxie in a Windows VirtualBox VM for me. Can never be too careful...

If any downloaded files need transferring, they are first run through VirusTotal and Jotti while still in the sandbox, before being recovered from it.
 
Old 03-28-2019, 10:45 PM   #8
young_jedi
Member
 
Registered: Mar 2019
Posts: 37

Rep: Reputation: Disabled
This will open Firefox in a sandboxed environment and dispose of files saved in the temporary /home directories created by the --private argument.
Code:
$ firejail --seccomp --nonewprivs --private --private-tmp firefox
If you're not a command line user, there's a GUI front-end called firetools

PDFs you download from the internet can "phone home" via embedded I-frames... You can prevent that too with firejail by opening up PDFs in a sandbox and denying it network access:

Code:
$ firejail --seccomp --nonewprivs --private --private-dev --private-tmp --net=none --x11 --whitelist=/tmp/unsafe.pdf evince /tmp/unsafe.pdf
Quote:
Originally Posted by ce309 View Post
How would one transfer data from an internet-enabled device to a offline device/disk and make sure that the offline device/disk is not infected? (only the offline device can access (read/write) from the internet-enabled device and not the other way)
Look into a WORM device (Write Once Read Many) their mainly used to store log files to ensure they dont get altered.

Last edited by young_jedi; 03-28-2019 at 11:00 PM.
 
Old 03-29-2019, 02:13 AM   #9
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 11,308
Blog Entries: 8

Rep: Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914
Quote:
Originally Posted by hydrurga View Post
Browser running in Sandboxie in a Windows VirtualBox VM for me. Can never be too careful...

If any downloaded files need transferring, they are first run through VirusTotal and Jotti while still in the sandbox, before being recovered from it.
are you saying this is how you always browse the WWW? like, right now?
 
Old 03-29-2019, 05:27 AM   #10
hydrurga
LQ Guru
 
Registered: Nov 2008
Location: Pictland
Distribution: Linux Mint 19.1 MATE
Posts: 7,510
Blog Entries: 2

Rep: Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639Reputation: 2639
Quote:
Originally Posted by ondoho View Post
are you saying this is how you always browse the WWW? like, right now?
No. There is no need to wear protective suits all the time, only when the occasion demands.
 
Old 03-29-2019, 06:57 AM   #11
ce309
LQ Newbie
 
Registered: Mar 2019
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by jefro View Post
This is the big issue of security. You can't be fully sure. You can't take untrusted outside data and ever get it close to inside secure data. Defeats the entire gap process.

Just make a less secure system and keep secure system walled.
Yes, incase the usb device has an exe file virus which runs automatically when mounted (for Windows OS). Even multimedia and other files can have a virus.

But taking extreme precautions I think we can still prevent infection.

Example: If I need to just copy a user-created .txt file (no hidden extension) from the usb device to the hard disk, then there is no chance of a virus infecting the hard disk as a simple .txt file cannot have a virus.

If someone can answer this question (which I have posted previously) then it would greatly helpful!
How do I make sure that only the hard disk can read and write to the usb device and prevent the usb to read/write any hard disk data?


Quote:
Originally Posted by young_jedi View Post
This will open Firefox in a sandboxed environment and dispose of files saved in the temporary /home directories created by the --private argument.
Code:
$ firejail --seccomp --nonewprivs --private --private-tmp firefox
If you're not a command line user, there's a GUI front-end called firetools

PDFs you download from the internet can "phone home" via embedded I-frames... You can prevent that too with firejail by opening up PDFs in a sandbox and denying it network access:

Code:
$ firejail --seccomp --nonewprivs --private --private-dev --private-tmp --net=none --x11 --whitelist=/tmp/unsafe.pdf evince /tmp/unsafe.pdf

Look into a WORM device (Write Once Read Many) their mainly used to store log files to ensure they dont get altered.
Thanks young_jedi for the useful information.

I am assuming that you are suggesting to use a WORM device to store important data which cannot be altered. Even though the data cannot be modified it can still be read and hence it can be stolen (correct me if wrong).
 
Old 03-29-2019, 11:50 PM   #12
young_jedi
Member
 
Registered: Mar 2019
Posts: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by ce309 View Post
I am assuming that you are suggesting to use a WORM device to store important data which cannot be altered. Even though the data cannot be modified it can still be read and hence it can be stolen (correct me if wrong).
Think of it as a dropbox where you drop stuff into it, but you cant look inside.. Only user's with the proper permissions (e.g. root or a sudo user) should be able to get accesss to those files (unless they can mount your drive when you're not using it; in that case make sure its encrypted via full disk encryption)..

Last edited by young_jedi; 03-29-2019 at 11:56 PM.
 
Old 03-30-2019, 01:25 AM   #13
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 11,308
Blog Entries: 8

Rep: Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914Reputation: 2914
Quote:
Originally Posted by hydrurga View Post
No. There is no need to wear protective suits all the time, only when the occasion demands.
i cannot imagine what occasion would demand running a browser in sandbox software on a windows vm.
i would ask you to elaborate, but probably you want to keep that secret.
i guess i just never visit such sites.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Why am I not able to sandbox using mkvirtualenv rrgb Linux - Server 1 05-16-2018 06:44 AM
LXer: Securing a Web Server Using a Linux Namespaces Sandbox LXer Syndicated Linux News 0 06-18-2014 04:50 AM
Using Linux to sandbox USB drives in Windows ShanxT Linux - General 2 01-14-2009 03:23 AM
How to run Java programs in a sandbox fpmc Programming 0 07-07-2004 03:57 AM
sandbox lockout... jwhiz Linux - Newbie 2 10-02-2002 04:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 11:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration