- This topic has 4 replies, 4 voices, and was last updated Jun 4-8:23 pm by DeepDayze.
-
Posts
-
roytobin
I don’t trust browsers. One look at security concerns for firefox
would have one quite frightened.I came up with running firefox as a different “quarantined” user, one
with only default (i.e. meaningless) account files.The true human user on the system has home directory permission like so:
drwx——
So, even if the firefox threads/process(es) running as quarantined user
were totally rogue, it could only see system files and the quarantined
user’s files — not true users’ home directory files.For this to work, the true user has X server set to permissive: xhost +
Then, go to a virtual console (ctrl-alt-f5) and log in to the quarantine
account. Then run 3 line script of the form:export DISPLAY=:0
pulseaudio –start # eg. here for firefox quantum
exec firefox.real # eg. here for firefox quantumQuiz: why can’t one simply sudo firefox as another user?
I’d be interested in other’s ideas for browser security.
Thanks.
Anonymous
”
The true human user on the system has home directory permission like so:
drwx——
”
Did you explicitly change this across all user directories on your system? Asking becausehttps://wiki.debian.org/Permissions
The umask of a ‘stock’ Debian system is 0022 which makes the default permissions be 0755 — the owner has all permissions, the group read and execute but not write, and everybody else can read and execute but not write.Also, if you examine /etc/sudoers.d/antixers
you’ll find some permissive security “holes” (granted across the board, to all accounts in usergroup “users”, and by default each new user account receives membership in the “users” usergroup)So, to prevent browser access to other users files, I think we need
sudo adduser –disabled-password –group untrusted browsy #new usergroup is created if it does not already exist
sudo usermod -g untrusted browsy #strip any extra groups membershipOnline guides suggest various different approaches, and I disagree with some of the suggested details, for instance “copy your existing browser profile, and change permissions”. I say, no. Start from scratch, reinstall any wanted plugins, copy into place your custom “user.js” browser preferences
This, and other guides, advises adding a rule into sudoers, like
https://rizvir.com/articles/web-browser-security/
yourusername yourhostname=(browsy) NOPASSWD: /usr/bin/firefox.realI’m agreeing what’s shown in your post. MOVE the browser executable to an unexpected filename, and launch it using a wrapper script, one that displays a popup dialog so you’re aware something (maybe not you, knowingly) is attempting to launch the browser. Too few people know / care / worry about the fact that nowadays firefox -headless “is a thing” (same for chrome)
Also, based on your “quiz” question, I’m guessing you’ve missed the detail of creating the sudoers rule.
With the rule in place, a “.desktop launcher” execstring like this should be effective (HOLD THAT THOUGHT):
sudo -u browsy -H “firefox.real”Some howto guides mention the permissiveness of Xserver, and recommend launching the isolated browser inside an xephyr server instance.
Many of the guides give a more specific xhost directive, one that specifies the username, like
xhost +local:browsyTHAT THOUGHT:
Another howto suggested using the following in the launcher wrapper, but it doesn’t cover the pulseaudio detail you mentioned
and it doesn’t consider using xephyr (so is a turnoff for me)
————————–
#! /bin/sh
# THE @ SYMBOLS REPLACE BACKTICKS HERE B/C THE FORUM MORPHS BACKTICKS INTO QUOTE BLOCKS
HOST=@hostname@
XAUTH=@xauth -f “/home/${SUDO_USER}/.Xauthority” list | grep $HOST | tail -n 1@
sudo su – browsy -c “export DISPLAY=:0; xauth add $XAUTH; firefox.real”
————————–Other thoughts:
1) instead of, or in addition to this homebrew browser isolation, consider using firejail and firetools
2) all this fussing is pretty much pointless, is undermined, if you don’t forge a heavily customized set of preferences (user.js)
3) after setting up a customized /home/browsy/.mozilla, i prefer to create a copy then rsync into place that “pristine” copy each session, saving nothing (no bookmarks, no LocalStorage, no cookies) across sessions.
Brian Masinick
Worthwhile dialogue; thank you very much!
I have not given this much thought previously, but the suggestions you’ve made are a step in the right direction; appreciate it!
--
Brian MasinickThank you for detailed info. I do have all users’ directories permission
changed, but the info on /etc/sudoers.d/antixers was new to me, and I
thank you. I especially appreciate the antiX-specific details, as I
am new to antiX (coming from Mepis 11 from RedHat from SunOS from DYNIX).I know this thread topic is not antiX-specific — appreciate lack of
criticisms. But I thought it worthwhile here as many potential linux
converts may be coming to antiX from a windoze background while trying
to repurpose an older & limited machine to do something useful.DeepDayze
What about using firejail to “jail” your browser (I.E. Chrome, Firefox, Opera)?
Real men use Linux 🙂
- You must be logged in to reply to this topic.
