Are there any tools for sandboxing Iceweasel (Firefox) on Debian systems? I'm mostly interested in tools distributed by Debian. (An equally trustworthy source would be second best.)
(I suppose that installing VirtualBox and running Iceweasel (or Firefox) within it would effectively sandbox the browser, but VirtualBox instances take up a lot of disk space, and my machine's drive is not that big. I'm hoping to find a way to achieve the same results with a smaller disk footprint.)
You could use docker which uses Linux containers.
Here is how this could be done:
Download and install docker from here
Create a file named "Dockerfile" which contains commands to create an docker image. The following file creates an image based on Ubuntu where firefox and the OpenSSH server will be installed. A user "noone" is created (replace [your public key] with a your public key) which will be used later to start firefox.
FROM ubuntu:14.04
RUN apt-get update
RUN apt-get -y install openssh-server firefox
RUN mkdir /var/run/sshd
RUN useradd -m -U --shell=/bin/bash noone
RUN sed -ri 's/noone:!/noone:*/g' /etc/shadow
RUN sed -ri 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
RUN mkdir /home/noone/.ssh
RUN chown noone:noone /home/noone/.ssh
RUN echo 'ssh-rsa [your public key] xxx' > /home/noone/.ssh/authorized_keys
EXPOSE 22
CMD ["/usr/sbin/sshd", "-D"]
Start the docker daemon with docker -d.
Go into the directory where your Dockerfile is located and run docker build -t sandboxfirefox. This will create the image sanboxfirefox.
Start a docker container from the image created above with docker run -d -p 127.0.0.1:5001:22 sandboxfirefox
(port 22 of the container is exported to port 5001 to the host)
Now you can start firefox via SSH using X forwarding with the user "noone" as follows:
ssh -o "UserKnownHostsFile /dev/null" -t -X -p 5001 noone@localhost firefox
Changes to the filesystem will take affect only to the container not to the image. If you stop the container all changes will be lost.
One method I use for 'sandboxing' an application (e.g. game servers, networking applications, ...) is creating a specific user for each application. For example:
sudo adduser firefoxuser # create a user for browsing the web
Then exit and login as the new user. Then run whatever application you need to run. If the user does not need sudo access, then make sure the user cannot use sudo.
In your case, just login as this user every time you want to browse the web. This way if an attacker is able to get into your system, they will not have access to an admin account right away. You might also consider removing them from certain default groups if you want to limit access further.
Virtual Box
As you said in your question, Virtual Box (VM Ware etc...) has many disadvantages:
But, there are a lot of advantages to using it as well. You can create a virtual machine and then create a snapshot. I usually call this 'Factory State'. Then when you are done using the virtual machine, revert back to the snapshot. Whatever malware that could have been installed on your virtual machine will be erased.
You should check out the sandbox software arkose. This is a copy-on-write sandbox which is designed to leave your filesystem intact after the process has terminated.
Afaik, there is no controls in arkose to restrict read access to your files, so running the browser as another user might be a good idea.
One downside with such sandboxing, is that plugins that is updated from within the browser will not survive the sandbox. You should periodically run the browser normally to let the plugins update.
