Last active
March 6, 2024 06:47
-
-
Save IoTeacher/41f85135dee85195c2a83fc62be90b0a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| apt-get -y update | |
| apt-get -y install firejail | |
| if [ ! -f "/etc/firejail/disable-common.local" ]; then | |
| cat > "/etc/firejail/disable-common.local" <<EOF | |
| # Firejail blacklist | |
| blacklist /etc/passwd | |
| blacklist /etc/letsencrypt | |
| blacklist /etc/mysql | |
| blacklist /etc/nginx | |
| blacklist /etc/php | |
| blacklist /etc/postfix | |
| blacklist /etc/varnish | |
| blacklist /var/lib/mysql | |
| blacklist /var/run/php | |
| # END | |
| EOF | |
| fiw |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
On Ubuntu Server, you would install and configure it like this (e.g. in a firejail_install.sh script):
Just be careful what you blacklist :)
This, combined with the right permissions on /home should be enough to somewhat better protect your system from prying eyes.
The code snippet you provided is a Bash script that performs the following tasks:
#!/bin/bash: This line is known as a "shebang" and it tells the system to use the Bash shell interpreter to execute the script.apt-get -y update: This command updates the package lists for the packages installed on the system. It helps to ensure that you have the latest information about the available package versions.apt-get -y install firejail: This command installs the Firejail package on the system. Firejail is a security sandbox tool that restricts the running processes' access to system resources like files, directories, and device nodes.if [ ! -f "/etc/firejail/disable-common.local" ]; then: This is an if statement that checks if the file/etc/firejail/disable-common.localdoes not exist. If the file does not exist, it executes the code block inside thethensection.cat > "/etc/firejail/disable-common.local" <<EOF ... EOF: This block of code creates a new file/etc/firejail/disable-common.localand writes the content between the<<EOFandEOFmarkers to the file. The content is a list of directories and files that Firejail will blacklist, meaning that any sandboxed process will not have access to these paths.The paths being blacklisted include:
/etc/passwd(system user account information)/etc/letsencrypt(Let's Encrypt SSL/TLS certificates)/etc/mysql(MySQL configuration files)/etc/nginx(Nginx configuration files)/etc/php(PHP configuration files)/etc/postfix(Postfix mail server configuration files)/etc/varnish(Varnish HTTP cache configuration files)/var/lib/mysql(MySQL data directory)/var/run/php(PHP runtime directory)fi: This closes theifstatement.In summary, this script installs the Firejail package and creates a configuration file (
/etc/firejail/disable-common.local) that blacklists access to specific system directories and files for any sandboxed processes launched with Firejail. This configuration helps to enhance security by restricting access to sensitive system resources for untrusted or potentially malicious applications running in the Firejail sandbox.