Re: Zoom- best practice?

To: debian-user@lists.debian.org
Subject: Re: Zoom- best practice?
From: Linux-Fan <Ma_Sys.ma@web.de>
Date: Sat, 06 Jun 2020 00:13:28 +0200
Message-id: <[🔎] cone.1591395208.532026.9631.1000@pte5>
References: <[🔎] bc32e57d-e66c-f507-ba18-90025b8e50e9@sdi-baja.com>

Peter Ehlert writes:

Family is using Zoom, International.
They will use Zoom, and I need to participate.

I use Debian Mate Stable, and Firefox ESR

I am concerned about security, duh!
Looking for ideas.

my current thoughts, in order of preference:

1. Use a separate Debian alongside my daily driver, and use Only for theZoom meetings


2. Sandbox? (but how can I do that?)

3. Use a different browser


[...]

Hello,

best practice is certainly using different software (Big Blue Button hasbeen mentioned, Jitsi works OK for small groups, say ~10 persons, too), butthere are cases where I am not asked to decide the software. At least, Zoomworks on Linux whereas e.g. Skype for Business doesn't despite claiming tohave a „Web App“?

I am also using Zoom (not by preference, see above) and thought about waysto isolate it for which I basically came up with a similar list to yours.Here is what I did so far:


* Zoom inside a VM works well here. I use Virt-Manager + KVM and
  audio works flawlessly without the need for much additional configuration.
  I only added this line to .config/pulse/daemon.conf:

	flat-volumes = no

  This makes sure that opening the VM does not reset volume back to 100%
  which is dangerously loud on my sound card, see
  <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674936> :)

* As a fallback solution, I setup a sandbox for chromium using firejail
  (package firejail) with a custom profile (attached for those interested).

  If you do not like the VM approach, you might consider a sandbox around
  the zoom client. Of course, it is possible to use the sandbox inside the
  VM, too. I doubt the added security of combining VM+sandbox is worth the
  added complexity, though.

Using an entirely different system is certainly an option security-wise (ifnetwork isolation is considered properly), but might have some additionalpractical limitations.


HTH
Linux-Fan

include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/whitelist-var-common.inc

blacklist /var/log
blacklist /var/www
blacklist /boot
blacklist /root
blacklist /opt
blacklist /srv
blacklist /media

apparmor
netfilter
disable-mnt
private-dev
# problems with multiple browser sessions
private-tmp

#caps.keep sys_chroot,sys_admin
nodbus
nodvd
nogroups
notv
#nonewprivs
nou2f
noexec /tmp

env NO_CHROME_KDE_FILE_DIALOG=1
shell none

#caps.drop all

Attachment: pgpmOoLW7Wjem.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Zoom- best practice?
  - From: <tomas@tuxteam.de>
- Re: Zoom- best practice?
  - From: Alex Mestiashvili <amestia@rsh2.donotuse.de>

References:
- Zoom- best practice?
  - From: Peter Ehlert <peter@sdi-baja.com>

Prev by Date: Problem Installing Debian
Next by Date: Re: Zoom- best practice?
Previous by thread: Re: Zoom- best practice?
Next by thread: Re: Zoom- best practice?
Index(es):
- Date
- Thread