I wanted to run my browser in a chroot for a variety of reasons. I would like to insulate my main install a little better from possible mischief that might occur from Java or Java scripts; yet I would like to avoid some of the awkwardness of running Adaware and no-script. Also, I'd like to be able to run full out flash and what not without installing any Adobe executables in my main environment. Although most things run quite well with 64 bit, sometimes it helps to have a 32 bit chroot.
The browser should be run as a different user so that my home directory wouldn't be harmed (filled with nonsense files).
I've seen this done different ways. Mine could certainly use some work.
The basic steps are:
1. set up a chroot with the browser
2. set up keyless ssh
3. set up scripts to execute the browser in a chroot
I usually rely on https://wiki.ubuntu.com/DebootstrapChroot
for a quick synapsis of the chroot process.
Setting up the chroot. I originally planned to use a Ubuntu chroot but it was much easier to get the sound working with a Debian chroot.
aptitude install schroot
adduser iceweasel #later iceweasel will be the only user of iceweasel
adduser iceweasel audio #iceweasel will need sound
ln -s /home/yourusername/.Xauthority /home/iceweasel/.Xauthority
There maybe other ways to provide access to the X server. 'xhost +' did not seem like a good idea. 'xhost +127.0.0.1' might be acceptable, but I wanted something automated.
aptitude install debootstrap
debootstrap --arch i386 squeeze /chroot/squeeze-32 http://ftp.debian.org/debian/
/etc/schroot/schroot.conf needs to be edited now.
I added the lines:
description=32 bit Squeeze
You will also want to modify /etc/fstab for the chroot adding the lines:
/tmp /chroot/squeeze-32/tmp none bind 0 0
/dev /chroot/squeeze-32/dev none bind 0 0
/proc /chroot/squeeze-32/proc none bind 0 0
You should be able to go into the chroot now. As root you will want to switch over.
[code] schroot -p [\code]
You should be in the chroot now. Try a command such as 'xclock'; if it works you are not in the chroot.
Now time to get the chroot in some basic working order; in the chroot:
apt-get install debian-keyring
apt-get install aptitude
aptitude install alsa locales #for sound and to set the locale
dpkg-reconfigure locales #choose the en-utf8 variations
aptitude install iceweasel
echo "deb http://ftp.debian.org/debian squeeze main contrib non-free" >> /etc/apt/sources.list
aptitude install flashplugin-nonfree
At this point exit the schroot and try a few things out.
Can the user iceweasel run iceweasel?
export DISPLAY=:0 #this may or may not be necessary
schroot -p #you should now be in the chroot
If things are OK, then Iceweasel should have come up.
The next part is a little more awkward. There are numerous references to using sudo and gksu to be able to run a program as a different user. There are also suggestions of creating groups and whatnot. I didn't find a good way to without a password. I also wanted to avoid setuid. However, it would not be comfortable to type a password every time I want to start Iceweasel.
I decided to use an ssh key. (This also fixes problems with file permissions later.)
If you don't already have an ssh key you will want to generate one. Or if your ssh key uses a password you will want to create an additional one exclusively for use with the browser.
ssh-keygen -t rsa
You should be able to ssh into the iceweasel account with no problems.
Now you will want to create a script in your 'regular' (non-chroot) iceweasel account.
Then add the following lines:
schroot -p /usr/bin/iceweasel
Add executable permissions:
chmod +x /home/iceweasel/iceweasel_chroot.sh
Then create a similar file in your regular users account.
Adding the following lines:
/usr/bin/ssh iceweasel@localhost /home/iceweasel/iceweasel_chroot.sh
Add executable permissions:
chmod +x /home/youruser/iceweasel_transfer.sh
It should now be possible as your regular user to type
and have Iceweasel pop up using the chroot version.
You will want to upload files from your browser. However, the user 'iceweasel' will not be able to read them. You will want an easy way to transfer the files.
First (as iceweasel) create the directory you would like to upload from:
A script similar to this in /usr/local/bin/cp_ice.sh should help.
scp $1 iceweasel@localhost:/home/iceweasel/uploads
Make it executable
chmod +x /usr/local/bin/cp_ice.sh
Then as your regular user you can type:
and it should be in the uploads directory.