LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-29-2015, 12:18 AM   #1
jago25_98
Member
 
Registered: Jun 2001
Posts: 302

Rep: Reputation: 30
Browser sudo <user> should be default...


I went to the trouble of setting a separate user for my browser. I then launch this via an icon. If a chrome browser extension turns out to be untrustworthy (for example) your data (bitcoin wallet!?) is at least that bit harder to grab.

Something like this should be default, or at least easier to setup. It was a real pain to do.

A another way round, if I were to do it again, would be to run sensitive apps as a separate user rather than the browser.One of the draw backs I have is that I now have to have a shared filespace to transfer files between users... and this is a pain for posting screenshots online, sharing files etc.

It really seems incredible that people are installing all kinds of closed source browser extensions, some of which have ability to read where their sensitive data.

hmm... anybody wanna make a bitcoin themed chrome extension....
 
Old 01-29-2015, 01:07 PM   #2
sudowtf
Member
 
Registered: Nov 2013
Posts: 204

Rep: Reputation: 46
maybe an alternative would be firejail. i use it to launch firefox occasionally.

Last edited by sudowtf; 01-30-2015 at 08:27 AM.
 
Old 01-29-2015, 01:12 PM   #3
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680

Rep: Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373
Doesn't SELinux (and the other one I can't recall and since this device is limited it would take too long to google) do something like this?
 
Old 01-30-2015, 08:18 AM   #4
jago25_98
Member
 
Registered: Jun 2001
Posts: 302

Original Poster
Rep: Reputation: 30
Yes, these solutions do work.
...but they're not very easy to use.
I actually have a chroot jail for firefox and I can use this on suspect sites... but it's a real pain to use. For example you can't upload or download any files. So I don't use it as much as I'd like to.

There should be something that assists with the whole process - for example to help monitoring files as they come across.
Browsers like Chrome do in fact do this kind of thing but it's not transparent as to what is happening. Similar on other platforms such as Android which have a privacy guard or similar installed.

Firejail is good. You need to configure it to allow a shared directory that you know you need to be careful of. I think Firejail should be already set and running for desktop distributions

Last edited by jago25_98; 01-30-2015 at 08:42 AM.
 
Old 01-30-2015, 08:32 AM   #5
sudowtf
Member
 
Registered: Nov 2013
Posts: 204

Rep: Reputation: 46
you can maybe use the tor browser bundle with limited plugins, but it will be slower. downloads are stored in the browser-bundle's folder ./tor-browser_en-US/Browser/Downloads

Last edited by sudowtf; 01-30-2015 at 08:33 AM.
 
Old 01-30-2015, 09:00 AM   #6
cepheus11
Member
 
Registered: Nov 2010
Location: Germany
Distribution: Gentoo
Posts: 286

Rep: Reputation: 91
Tor browser bundle is not a solution, because it does not sandbox the browser in a sense the op wants. More so, the tor exit nodes see data in plaintext, and are not to be trusted. So with http:// connections, the danger of injected malicious scripts trying to own the process is even increased, compared to, say, firefox with noscript.
 
Old 01-30-2015, 09:22 AM   #7
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,610
Blog Entries: 4

Rep: Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905
I simply log-on as different users when doing sensitive things ... for instance, when doing accounting work, I'm logged on as the accountant and so-on.

The problem with your strategy is that, not only would you want to run Firefox "as" a different user, but you would want it to have an entirely different home-directory, as well. And, you would want your more sensitive files (e.g. wallets) to be stored in a home-directory which is not readable or accessible by any other user on the system. (Which, BTW, is not the default.)

So, log in as that user, thereby entering its private and walled-off playpen. Do not use a web browser while you are there. And, have some kind of background backup utility running all the time.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Question about the sudo command, specifically how to have sudo act as if user is root slacker_ Linux - Newbie 17 09-22-2013 03:48 PM
set default browser for a single user only brennino Debian 2 10-28-2011 06:18 AM
[SOLVED] sudo for www user to run root shell script via browser kzcom Linux - General 11 09-15-2010 01:48 AM
Details about default web Browser & default Email client sudhasmyle Linux - Software 4 06-15-2006 11:45 AM
gaim browser / default browser question hildog Linux - Newbie 2 10-03-2003 09:17 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration