Firejail profile

For help and support with Linux-specific issues
Forum rules
Please make sure you follow the Problem Reporting Guidelines before posting if you want a reply
Post Reply
David0325
Posts: 13
Joined: Wed Apr 29, 2015 6:22 pm

Firejail profile

Post by David0325 » Mon May 07, 2018 8:24 pm

Hello,
I wish to use UMS in Firejail. I tested with the default profile of Firejail, but it works just once. After exit UMS and rerun, no way to run again UMS in Firejail. What it should be the firejail profile for UMS ? Thanks in advance.

Code: Select all

~:$ firejail sh '/../UMS.sh' 
# Run UMS fine
...
# Quit UMS
INFO  10:27:00.329 [UMS Shutdown] Stopping Universal Media Server 6.6.0

Parent is shutting down, bye...
~:$ firejail sh '/../UMS.sh' 
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 2372, child pid 2373
Child process initialized in 43.67 ms

Parent is shutting down, bye...
~:$

Nadahar
Posts: 1253
Joined: Tue Jun 09, 2015 5:57 pm

Re: Firejail profile

Post by Nadahar » Mon May 07, 2018 8:39 pm

I don't know anything about FireJail, and and doubt any of the others here do either, so I think you'll have to make a profile yourself if you want one. If you succeed, make sure to post it in this thread so that other users with the same wish can use it.

That said, I don't know why you consider UMS "untrusted". It is all open source so anyone can see what it does, and apart for external programs used to parse and transcode media and plugins you might install, it doesn't run "external code" or anything coming from the Internet. Since UMS shouldn't be exposed to the Internet either (it's a LAN service), I think the potential for harm is quite limited.

Since you probably will want to "jail" it regardless, you should know that UMS relies on running a number of other (mostly bundled) executables and libraries. Any "jail" must make sure these are available, and also that the necessary network communication can happen freely. UMS needs basically any port > 1024 outbound access for UDP and TCP and incoming access for: TCP port 1900, 5001 and 9001, UDP port 1900. 5001 and 9001 depends on your configuration, these are the default values, if you change UMS' configuration the open port requirements change accordingly.

David0325
Posts: 13
Joined: Wed Apr 29, 2015 6:22 pm

Re: Firejail profile

Post by David0325 » Tue May 08, 2018 7:12 am

Nadahar wrote:
Mon May 07, 2018 8:39 pm
I don't know why you consider UMS "untrusted". ... Since UMS shouldn't be exposed to the Internet either (it's a LAN service), I think the potential for harm is quite limited.
Because, to increase my security, protect my privacy, protect my personnal documents and I can do it with Firejail (when I set the good profile). Thanks your comments, I consider it. Some DLNA clients, with internet access, can access to media shared by UMS.

Nadahar
Posts: 1253
Joined: Tue Jun 09, 2015 5:57 pm

Re: Firejail profile

Post by Nadahar » Tue May 08, 2018 1:39 pm

I didn't mean to question your "privacy concerns", I just meant to point out that normally UMS isn't supposed to be exposed to access from the Internet anyway, so the chance that anyone can make it do anything "bad" should be pretty slim.

If DLNA clients can reach UMS from the Internet that is news to me, and I have no idea how that works. DLNA/UPnP use multicast for discovery and "messaging", and multicast isn't enabled on internet routers so even if you for some reason configured your router to forward this out to the internet, the packages would be dropped as soon as they came to the next router. UMS shouldn't be opened to incoming access in your router anyway, there would be nothing to gain from this and UMS isn't "hardened" to withstand that.

If you mean that there's a risk simply because some renderers also have access to the internet, I'd say that's stretching it pretty far. DLNA clients/renderers can't upload anything to UMS (uploading isn't implemented in UMS), and they can't tell UMS to run anything or receive any kind of binary code. I have a hard time to see how that could lead to anything affecting UMS.

David0325
Posts: 13
Joined: Wed Apr 29, 2015 6:22 pm

Re: Firejail profile

Post by David0325 » Tue May 08, 2018 6:04 pm

I used UMS since many years (with PMS), I trust it about privacy. Sorry if I had hurt you. I don't want absolutely use UMS in Firejail, just by curious in fact. I agree with your arguments.

Post Reply