Separate user account for browser, chat, etc. Worth it?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Separate user account for browser, chat, etc. Worth it?
Mandatory access control is a pain to set up, and not standardized across Linux distributions. But (ab)using ACLs and UNIX discretionary access controls to run programs under secondary accounts is easy, and safe enough on desktops (though not really suitable for multiuser systems).
My question is, how useful is it really?
X11 provides no GUI isolation. (Well, unless you use Xephyr or something, and that breaks copy/paste support.) A compromised browser or chat session can be barred filesystem access to your home directory, preventing it from snooping on your emails or grabbing your SSH keys, or stuff like that; but it can still keystrokes going into any X11 program. It's even possible to take control of an application via X11, from another application in the same X session (though IIRC this would be obvious to the user).
Is filesystem isolation based on separate user accounts actually worth anything, or is it just too easily circumvented on desktops to be of any use?
Mandatory access with Apparmor is not a pain ... I have been using it and the predecessor (Subdomain) since 2001. I recommend it for browsers and other exposed programs. It comes with Suse and Ubuntu.
Hmm, thanks. Just curious though, wouldn't AppArmor also suffer from X11 related and at least some kernel issues?
Userspace bugs might be possible to mitigate with a very minimal chroot sandbox, but that would be a pain.
Qubes would be interesting to try, unfortunately I don't have any suitable hardware available. Also, to be honest, I've only ever seen bad things and breakage from Xen.
I use multiple users in X. Although I do it to isolate browser cache, game cache, and useful programming stuff into seperate /home/ locations. If I run low on drive space it's pretty easy to nuke an entertainment user to free up that space. I just need to copy the .Xauthority of the user who started X and set the DISPLAY and XAUTHORITY variables for each user after logging in. The variables can be set in the .bashrc.
It's not really that useful for security except for isolating your web browser from important data since cross user file contents cannot be read. But it's useful for space management and keeping task specific bash histories based on the user(s) for a given task. Of course all of this assumes that you're a heavy CLI type and have root access to copy the .Xauthority across users.
I use multiple accounts all the time. For example, all work for a particular (human) client will be done in a separate account. Responsibilities such as accounting or what-not are done in separate accounts. And, in many cases, the associated directories are not-at-all readable by others.
To me, it's the same common-sense that says, "give different people in your office different cubicles or offices." The presence of an ordinary, even-flimsy lock on a door, or of a safety on a gun, is often all that's needed to avoid real trouble.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.