What however it they broke out of the browser, dropped into the users authority and then upon looking around saw that PID 0 was a simple /bin/sh, all others PID's were apparently hidden away, and also that the authority level of the userid they'd broken into was so restricted it was pretty much useless.
Here's a simple example as a guide to how that might be setup using the unshare and capsh commands (I ran all of this under Debian Stretch) ...
I created a test script called capsh-test containing ...
Code: Select all
#!/bin/sh
unshare -p --mount-proc=/proc -f /sbin/capsh --drop=cap_chown --keep=1 --user=root -- -c /bin/sh --
#./capsh-test
... running ps -ef indicates PID 0 is /bin/sh i.e. it can't see other PID's
Code: Select all
sh-4.4# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 21:19 pts/0 00:00:00 /bin/sh
root 2 1 0 21:19 pts/0 00:00:00 ps -ef
sh-4.4#
Code: Select all
sh-4.4# echo >tst
sh-4.4# ls -l tst
-rw-r--r-- 1 root root 1 Jun 1 21:21 tst
sh-4.4# chown nobody tst
chown: changing ownership of 'tst': Operation not permitted
sh-4.4# id
uid=0(root) gid=0(root) groups=0(root)
Code: Select all
sh-4.4# exit
exit
# ls -l tst
-rw-r--r-- 1 root root 1 Jun 1 21:21 tst
# chown nobody tst
# ls -l tst
-rw-r--r-- 1 nobody root 1 Jun 1 21:21 tst
#
Code: Select all
--drop=cap_chown,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read
Of course I also set that to a non-root userid (--user=xxxxx parameter). That way firefox is running with pretty extreme restrictions. If a flaw in the browser enabled a breakout then the hacker drops to the same authority as the parent i.e. non-root userid and into a environment where commands such as chown (and a whole bunch of others) are restricted.
Of course nothing is truly safe, however what with Firefox internally running tasks in sandboxes and where the parent of the running firefox process is in effect decapitated, but where firefox still runs as expected ... then that's additional hurdles/barriers that a potential hacker has to overcome/circumvent.
So far with that setup/script for firefox-esr I've managed to post as per here, watch youtubes, install the usual noscript/ublock-origin/user-agent spoofer ...etc. and all seems to be working fine. No guarantees however as something might still yet pop out unexpectedly. [user agent spoofer?? What's that?? I use one pretty religiously as broadcasting what operating system and browser (along with versions) you are running openly - opens you up to attacks being specifically targetted against that combination of OS and browser/version. A user agent extension enables you to broadcast a different OS/browser, so any specific attacks launched at that combation of OS/browser are most unlikely to be successful. Debian/firefox-esr being used, MacOS/Safari browser apparrently being used. Yes that can have some web sites display incorrectly, but its easy to turn user-agent off and reload the web page for such cases].