site  contact  subhomenews

Firefox running in container as user spot

September 24, 2022 — BarryK

Up until now, apps running in a container run as "crippled root". Which is fine, very secure. Some apps though, are not happy; they think that they are running as root and will complain, or require special parameter on the commandline, even refuse to run.

That is annoying, as "crippled root" is very secure. However, I have finally fixed running apps non-root in containers. This adds an extra layer of security; if somehow an attacker manages to elevate themselves out of spot to root, they are still in "crippled root". This is great.

Inherited from Puppy Linux is user "spot". The logo for spot is a drawing of my daughter's little dog Vincent. You can see the logo here:

You can also see the logo in a running EasyOS, at /home/spot

To prove the concept, I have configured Firefox to run as user spot in a container. This is the default in the upcoming EasyOS 4.4. You can see the checkbox "user spot" in the Easy Containers GUI (via the Filesystem menu):


I also fixed Firefox able to save to /files/shared, so anything you download will appear at the same location /files/shared outside the container. All other paths under /files in the container are not available outside.

First tests, working great, but more testing revealed a couple of issues, that I know how to fix. Expect to do so tonight or tomorrow morning. So EasyOS 4.4 is not far away.

One clarification: Firefox running as spot is only in the container. Firefox on the main desktop runs as user "firefox". So, any app running non-root on the main desktop will run as its own user, but any app running non-root in a container will run as user spot.

In theory, could have firefox running as user firefox in a container; however, that makes the coding a but more complex. And besides, there is no need. Firefox is running all on its own in the container, so no problem with just run as spot.       

Tags: easy