Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I went to the trouble of setting a separate user for my browser. I then launch this via an icon. If a chrome browser extension turns out to be untrustworthy (for example) your data (bitcoin wallet!?) is at least that bit harder to grab.
Something like this should be default, or at least easier to setup. It was a real pain to do.
A another way round, if I were to do it again, would be to run sensitive apps as a separate user rather than the browser.One of the draw backs I have is that I now have to have a shared filespace to transfer files between users... and this is a pain for posting screenshots online, sharing files etc.
It really seems incredible that people are installing all kinds of closed source browser extensions, some of which have ability to read where their sensitive data.
hmm... anybody wanna make a bitcoin themed chrome extension....
Yes, these solutions do work.
...but they're not very easy to use.
I actually have a chroot jail for firefox and I can use this on suspect sites... but it's a real pain to use. For example you can't upload or download any files. So I don't use it as much as I'd like to.
There should be something that assists with the whole process - for example to help monitoring files as they come across.
Browsers like Chrome do in fact do this kind of thing but it's not transparent as to what is happening. Similar on other platforms such as Android which have a privacy guard or similar installed.
Firejail is good. You need to configure it to allow a shared directory that you know you need to be careful of. I think Firejail should be already set and running for desktop distributions
you can maybe use the tor browser bundle with limited plugins, but it will be slower. downloads are stored in the browser-bundle's folder ./tor-browser_en-US/Browser/Downloads
Tor browser bundle is not a solution, because it does not sandbox the browser in a sense the op wants. More so, the tor exit nodes see data in plaintext, and are not to be trusted. So with http:// connections, the danger of injected malicious scripts trying to own the process is even increased, compared to, say, firefox with noscript.
I simply log-on as different users when doing sensitive things ... for instance, when doing accounting work, I'm logged on as the accountant and so-on.
The problem with your strategy is that, not only would you want to run Firefox "as" a different user, but you would want it to have an entirely different home-directory, as well. And, you would want your more sensitive files (e.g. wallets) to be stored in a home-directory which is not readable or accessible by any other user on the system. (Which, BTW, is not the default.)
So, log in as that user, thereby entering its private and walled-off playpen. Do not use a web browser while you are there. And, have some kind of background backup utility running all the time.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.