Control: forwarded -1 https://github.com/netblue30/firejail/issues/3513
Hi Jeff, On Wed, Jul 15, 2020 at 10:11:55PM -0700, Jeff Root wrote: > * What fixed the problem? > > I discovered that /etc/firejail/firejail.conf had > > # Disable U2F in browsers, default enabled. > # browser-disable-u2f yes > > I uncommented that line, and changed it to "no" to solve the problem. > > I believe there are two problems here. First, I don't see any reason why > WebAuthn would be disabled by default. I'm not aware of any reason that would > improve security or usability. Second, it was very difficult to understand > this setting; the man page documents BROWSER_DISABLE_U2F, and explains how to > _disable_ U2F, but not how to ENable U2F. As Debian/upstream has it disabled > by default, I think it would be better for the man page to show how to enable > it, or preferably show how to enable it. The documentation (and this is > likely > an upstream issue) doesn't really describe how the profiles are used, what the > config file is for, or how to override these settings. (For example, there's > a > command line argument to firejail, --nou2f, but no sign of how to _not_ > disable > U2F. > > I would suggest that Debian change that default setting to "no" so that U2F > works out of the box. U2F is intentionally disabled by default. The firefox profile (also a few others) currently contains: > /etc/firejail/firefox-common.profile > 43:?BROWSER_DISABLE_U2F: nou2f > 52:?BROWSER_DISABLE_U2F: private-dev With browser-disable-u2f disabled, this would also disable private-dev, which would mean that the browser has access to the whole /dev directory (instead of only whitelisted devices), which increases the potential attack surface. I think most users are currently not using U2F, so I'd like to keep the default in sync with upstream. But I agree that this topic and its documentation is currently confusing, so I reported this upstream with the suggestion to improve documentation. Kind regards, Reiner
signature.asc
Description: PGP signature
