I am a big fan of Flatpak, but also highly support keeping RPM firefox until there are not only major fixes to flatpak, but also to firefox itself.
In short, Flatpak issues:
- no exact drag&drop support (dragging a file into an “upload” box on a website etc.)
- no native messaging (keepassxc, plasma browser extension, zotero, …)
- no webauthn/fido2 support, smartcards, hardware tokens
Firefox issues:
- filesystem sandboxing relies on
fork()and user namespaces. Those are blocked, andfork()cannot be used withflatpak-spawnto isolate processes, as it would explode RAM use. Firefox needs to implement a fork server like zygote on Chromium (and Android) to allow something like zypak for filesystem sandboxing
Full list of issues, specific to the Fedora Flatpak Firefox
These issues make the Flatpak a non-option, not to mention that the Fedora Flatpak Firefox has no nonfree media codecs.
I had the fun using uBlue Aurora for a while, but they remove Firefox from the image for the sake of “updating the browser should be independent of the system”.
While that logic may make sense, as a daily updater this is not important.
Anyways, I used that as a challenge.
How can I use the Firefox tar archive in a semi-secure way?
Normally, one would go the “Appimage way”. Create a random directory in home, not compliant to any xdg specs, put the files there, run them from there.
This could also be ~/.local/bin/ and would directly be in $PATH. But that directory is writable by any process, which is kind of against some core concepts?
I am not sure if all the stuff about “system” and “users” come from multi-user systems only. Or if this was also intender as a security method against user processes.
So instead, I created a directory /var/usrlocal/share/firefox because the firefox archive contains so much stuff.
I then chowned it to the user, sudo chown -R user:user /var/usrlocal/share/firefox and ran the firefox-bin program (as that is always a bit faster).
It created it’s desktop entry automatically, not sure at what stage, maybe when setting as default program.
The issue now is
- that directory is just as insecure as somewhere randomly in home
- Firefox launches the firefox-updater program, which is the only program that needs to write to that directory
- all the SELinux labels are messed up too of course, would need to be the same as in
/usr/binI would say
I can imagine that this needs to be fixed by Firefox, to use polkit in the updater. Maybe the updater already has polkit support?
Alternatively, making it setuid could work but is a bad idea.
What do you think?
This setup works well, I already had a Firefox update without rebooting. Which may be really needed on a lot of systems, especially CentOS Stream, Alma bootc, HeliumOS, …
Considerations
The security of system programs against user programs does not exist on Desktop Linux.
All user-ran programs can
- write your bashrc (alias, PATH, functions)
- write your
~/.local/share/applications - change your desktop, terminal emulator, custom shell, etc. however they want
- copy all system programs to user directories and manipulate them there
The idea that users can “overdrive” system stuff, like ~/.local/share/applications being used instead of /usr/share/applications doesnt help a bit.
Especially on atomic fedora, that is the only mutable directory.
This is pretty crazy. The concept of malicious user apps seems to requite a HUGE paradigm shift, like requring privileges to change anything that runs code or manipulates other things running code.