Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Desktop
User Name
Linux - Desktop This forum is for the discussion of all Linux Software used in a desktop context.


  Search this Thread
Old 12-27-2009, 04:39 PM   #1
Registered: Oct 2006
Distribution: Debian x64
Posts: 198

Rep: Reputation: 30
Running browser as a different user in a chroot

I wanted to run my browser in a chroot for a variety of reasons. I would like to insulate my main install a little better from possible mischief that might occur from Java or Java scripts; yet I would like to avoid some of the awkwardness of running Adaware and no-script. Also, I'd like to be able to run full out flash and what not without installing any Adobe executables in my main environment. Although most things run quite well with 64 bit, sometimes it helps to have a 32 bit chroot.

The browser should be run as a different user so that my home directory wouldn't be harmed (filled with nonsense files).
I've seen this done different ways. Mine could certainly use some work.

The basic steps are:
1. set up a chroot with the browser
2. set up keyless ssh
3. set up scripts to execute the browser in a chroot

I usually rely on for a quick synapsis of the chroot process.
Setting up the chroot. I originally planned to use a Ubuntu chroot but it was much easier to get the sound working with a Debian chroot.
aptitude install schroot
adduser iceweasel #later iceweasel will be the only user of iceweasel
adduser iceweasel audio #iceweasel will need sound
ln -s /home/yourusername/.Xauthority /home/iceweasel/.Xauthority
There maybe other ways to provide access to the X server. 'xhost +' did not seem like a good idea. 'xhost +' might be acceptable, but I wanted something automated.
chmod +r /home/iceweasel/.Xauthority
mkdir /chroot/squeeze-32 #or whichever distro you choose  
dpkg -i debootstrap_1.0.20_all.deb
(or simply)
aptitude install debootstrap
and then
debootstrap --arch i386 squeeze /chroot/squeeze-32
/etc/schroot/schroot.conf needs to be edited now.
nano /etc/schroot/schroot.conf
I added the lines:
[Squeeze 32]
description=32 bit Squeeze
You will also want to modify /etc/fstab for the chroot adding the lines:
/tmp /chroot/squeeze-32/tmp none bind 0 0
/dev /chroot/squeeze-32/dev none bind 0 0
/proc /chroot/squeeze-32/proc none bind 0 0
 mount -a
You should be able to go into the chroot now. As root you will want to switch over.
[code] schroot -p [\code]
You should be in the chroot now. Try a command such as 'xclock'; if it works you are not in the chroot.
Now time to get the chroot in some basic working order; in the chroot:
apt-get update
apt-get install debian-keyring
Type Yes.
apt-get update
apt-get install aptitude 
aptitude install alsa locales #for sound and to set the locale
dpkg-reconfigure locales #choose the en-utf8 variations
aptitude install iceweasel
echo "deb squeeze main contrib non-free" >> /etc/apt/sources.list
aptitude update
aptitude install flashplugin-nonfree
At this point exit the schroot and try a few things out.
Can the user iceweasel run iceweasel?
su iceweasel
export DISPLAY=:0 #this may or may not be necessary
schroot -p #you should now be in the chroot
If things are OK, then Iceweasel should have come up.

The next part is a little more awkward. There are numerous references to using sudo and gksu to be able to run a program as a different user. There are also suggestions of creating groups and whatnot. I didn't find a good way to without a password. I also wanted to avoid setuid. However, it would not be comfortable to type a password every time I want to start Iceweasel.

I decided to use an ssh key. (This also fixes problems with file permissions later.)
If you don't already have an ssh key you will want to generate one. Or if your ssh key uses a password you will want to create an additional one exclusively for use with the browser.
ssh-keygen -t rsa
ssh-copy-id iceweasel@localhost
You should be able to ssh into the iceweasel account with no problems.

Now you will want to create a script in your 'regular' (non-chroot) iceweasel account.
nano /home/iceweasel/
Then add the following lines:
export DISPLAY=:0
schroot -p /usr/bin/iceweasel
exit 0
Add executable permissions:
chmod +x /home/iceweasel/
Then create a similar file in your regular users account.
nano /home/youruser/
Adding the following lines:
/usr/bin/ssh iceweasel@localhost  /home/iceweasel/
exit 0
Add executable permissions:
chmod +x /home/youruser/
It should now be possible as your regular user to type
and have Iceweasel pop up using the chroot version.

You will want to upload files from your browser. However, the user 'iceweasel' will not be able to read them. You will want an easy way to transfer the files.

First (as iceweasel) create the directory you would like to upload from:
mkdir /home/iceweasel/uploads
A script similar to this in /usr/local/bin/ should help.
scp $1 iceweasel@localhost:/home/iceweasel/uploads
exit 0
Make it executable
 chmod +x /usr/local/bin/
Then as your regular user you can type:
Code: nameoffileyouwanttocopy
and it should be in the uploads directory.
Old 01-26-2010, 03:37 AM   #2
Senior Member
Registered: Sep 2009
Location: Srbobran, Serbia
Distribution: CentOS 5.5 i386 & x86_64
Posts: 1,118
Blog Entries: 1

Rep: Reputation: 129Reputation: 129
You should mark this thread as SOLVED.


application, as, chroot, debian, user

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
sudo /usr/bin/chroot /home/chroot /bin/su - xxx| /bin/su: user xxx does not exist saavik Linux - General 3 07-04-2007 10:30 AM
Running graphical programs from chroot 1veedo Linux - Software 4 07-27-2006 08:16 PM
running anjuta within 32bit chroot linuxmandrake Ubuntu 0 02-16-2006 02:20 PM
using the running XDisplay from chroot keex Linux - General 1 10-25-2003 06:45 PM
ntop running with chroot? bugsland Linux - Software 0 01-07-2003 05:23 PM > Forums > Linux Forums > Linux - Desktop

All times are GMT -5. The time now is 11:18 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration