Peter Ehlert writes:
Family is using Zoom, International. They will use Zoom, and I need to participate. I use Debian Mate Stable, and Firefox ESR I am concerned about security, duh! Looking for ideas. my current thoughts, in order of preference:1. Use a separate Debian alongside my daily driver, and use Only for the Zoom meetings2. Sandbox? (but how can I do that?) 3. Use a different browser
[...] Hello,best practice is certainly using different software (Big Blue Button has been mentioned, Jitsi works OK for small groups, say ~10 persons, too), but there are cases where I am not asked to decide the software. At least, Zoom works on Linux whereas e.g. Skype for Business doesn't despite claiming to have a „Web App“?
I am also using Zoom (not by preference, see above) and thought about ways to isolate it for which I basically came up with a similar list to yours. Here is what I did so far:
* Zoom inside a VM works well here. I use Virt-Manager + KVM and audio works flawlessly without the need for much additional configuration. I only added this line to .config/pulse/daemon.conf: flat-volumes = no This makes sure that opening the VM does not reset volume back to 100% which is dangerously loud on my sound card, see <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674936> :) * As a fallback solution, I setup a sandbox for chromium using firejail (package firejail) with a custom profile (attached for those interested). If you do not like the VM approach, you might consider a sandbox around the zoom client. Of course, it is possible to use the sandbox inside the VM, too. I doubt the added security of combining VM+sandbox is worth the added complexity, though.Using an entirely different system is certainly an option security-wise (if network isolation is considered properly), but might have some additional practical limitations.
HTH Linux-Fan
include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-interpreters.inc include /etc/firejail/whitelist-var-common.inc blacklist /var/log blacklist /var/www blacklist /boot blacklist /root blacklist /opt blacklist /srv blacklist /media apparmor netfilter disable-mnt private-dev # problems with multiple browser sessions private-tmp #caps.keep sys_chroot,sys_admin nodbus nodvd nogroups notv #nonewprivs nou2f noexec /tmp env NO_CHROME_KDE_FILE_DIALOG=1 shell none #caps.drop all
Attachment:
pgpmOoLW7Wjem.pgp
Description: PGP signature