To safely view a PDF document, while preventing damage from exploitation of vulnerabilities or malware infection, we can use firejail.
Firejail is a lightweight secuirty tool intended to protectd a Linux system by setting up a restricted environment for running (potentially untrusted) applications.
For the PDF document viewer, mudpdf will be a great option, due to it being lightweight and open-sourced.
firejail can be used to create a sandboxed environment for secure viewing of the PDF using mupdf :
$ firejail --net=none --caps.drop=all --nogroups --noroot --private=[pdf_dir] mupdf [pdf_to_view].pdf
# eg.
$ firejail --net=none --caps.drop=all --nogroups --noroot --private=/home/user/sandbox mupdf view.pdfFlags
--net=none: Disables all network acccess, expect for a new loopback interface (lo).--caps.drop=all: Drop all capabilities for the processes running in the sandbox.--nogroups: Disable supplementary groups.--noroot: Install a user namespace with a single user - the current user. The root user does not exist in the new namespace.--private=directory: Use directory as user home. This should be the directory where the.pdffile is present.
Reusable Bash function (~/.bashrc)
~/.bashrc)We can create a Bash function in ~/.bashrc that can be used as a simple command:
# .bashrc
safeviewpdf() {
local pdf_path="$1"
if [ -z "$pdf_path" ]; then
echo "Usage: safepdf /absolute_path/to/file.pdf";
elif [ ! -f "$pdf_path" ]; then
echo "File not found" $pdf_path". Please provide the absolute path.";
else
firejail --net=none --private="$(dirname "$pdf_path")" --caps.drop=all --nogroups --noroot mupdf "$(basename "$pdf_path")";
}To load changes in ~/.bashrc:
Run this command after each update to the function in
~/.bashrc
$ source ~/.bashrcTo call the function:
$ safeviewpdf /absolute_path/to/file.pdfLast updated