Reducing permissions on Firefox extensions

Page 3 of 3 Previous  1, 2, 3

View previous topic View next topic Go down

Re: Reducing permissions on Firefox extensions

Post by wat0114 on 6/3/2012, 09:30

m00nbl00d wrote:If you got important processes @ medium/high you'd like to keep hidden from processes @ low, then you can apply an explicit medium/high IL to those processes, and make use of the flags -nw, -nx and -nr.

I do that for KeePass.

I might have something that needs attention. Thanks! One other experiment I tried and hasn't broken anything is I've applied the -nw flags to both Flash Player directories.

EDIT

I've also applied the nx flags to the Flash directories with no ill effects Smile

Also, here is my Waterfox/Firefox Low IL batch file:

Code:
@echo off

C:\Windows\System32\chml "c:\program files\waterfox\firefox.exe" -i:l
Pause
c:\windows\system32\chml "c:\users\user_name\appdata\local\mozilla" -i:l
Pause
c:\windows\system32\chml "c:\users\user_name\appdata\local\Temp" -i:l
Pause
c:\windows\system32\chml "c:\users\user_name\appdata\roaming\mozilla" -i:l
Pause
c:\windows\system32\chml "C:\Users\user_name\AppData\Roaming\Mozilla\Firefox\Profiles\yldg1sxa.default" -i:l -nw -nx
Pause
c:\windows\system32\chml "C:\Users\user_name\AppData\Roaming\Adobe\Flash Player" -i:l -nw -nx
Pause
c:\windows\system32\chml "C:\Users\user_name\AppData\Roaming\Macromedia\Flash Player" -i:l -nw -nx
Pause

I added the "Pause" in between each command just for kicks Smile



wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by Guest on 6/3/2012, 21:13

That's the expected behavior. You need to consider the fact that any object (file, process...) @ low integrity level has no restrictions to access other objects or containers (folders...) also @ low integrity level. Unless that are other restrictions in place, either by the operating system or applied by you. For example, even if I have chrome.exe @ low, you still need administrator privileges to change the integrity level of processes/folders in Program Files; in this case, chrome.exe.

There is one other integrity level with less permissions than Low, and that's Untrusted.

In your example, c:\windows\system32\chml "C:\Users\user_name\AppData\Roaming\Macromedia\Flash Player" -i:l -nw -nx, the -nw and -nx will only prevent Untrusted from writing and executing to that folder.
But, as I explained above, any object @ low can still write and execute to that folder.

Don't worry, when I started learning about integrity levels, I also got confused about it. Embarassed Laughing

Guest
Guest


Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by wat0114 on 6/3/2012, 22:06

m00nbl00d wrote:

In your example, c:\windows\system32\chml "C:\Users\user_name\AppData\Roaming\Macromedia\Flash Player" -i:l -nw -nx, the -nw and -nx will only prevent Untrusted from writing and executing to that folder.
But, as I explained above, any object @ low can still write and execute to that folder.

Darn! Well that's where I was confused, because I thought the -nw & -nx flags prevented anything in that directory from writing or executing elsewhere Embarassed

Mad at myself

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by Guest on 7/3/2012, 18:57

wat0114 wrote:
Darn! Well that's where I was confused, because I thought the -nw & -nx flags prevented anything in that directory from writing or executing elsewhere Embarassed

Mad at myself

Yeah, it's a bit confusing.

I don't recall if I mentioned it before, but there are two things you should be aware of now:

1. Firefox cannot update anymore using its internal mechanism, unless the upgrades are done using a separate update process. Otherwise, if the the updates are done using firefox.exe, and everything else inherits the low integrity level, then Firefox won't be able to upgrade itself.

This means you'll have to manually upgrade it.

2. When you upgrade Firefox, you'll lose the low integrity level.

My advise would be to have a batch file that you would execute to install Firefox and then reapply the low integrity level.

Guest
Guest


Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by wat0114 on 7/3/2012, 22:19

m00nbl00d wrote:I don't recall if I mentioned it before, but there are two things you should be aware of now:

1. Firefox cannot update anymore using its internal mechanism, unless the upgrades are done using a separate update process. Otherwise, if the the updates are done using firefox.exe, and everything else inherits the low integrity level, then Firefox won't be able to upgrade itself.

This means you'll have to manually upgrade it.

Believe it or not, that I am aware of, thus I've been checking for updates myself.

2. When you upgrade Firefox, you'll lose the low integrity level.

My advise would be to have a batch file that you would execute to install Firefox and then reapply the low integrity level.

Yep, already done with the batch files, one of which I posted three posts above Wink Thanks again!

I think I can finally settle on this configuration, even though it may not be perfect with the Low IL applied to the Flash directories, but at least i don't lose much at all in the way of seemless usability Smile

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by Guest on 8/3/2012, 03:37

OK... Wink

Guest
Guest


Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by wat0114 on 8/3/2012, 09:19

I now have this same setup working nicely on Windows 8x64, dual-boot w/Win7x64 Smile

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: Reducing permissions on Firefox extensions

Post by Sponsored content


Sponsored content


Back to top Go down

Page 3 of 3 Previous  1, 2, 3

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum