Separate user account for browser, chat, etc. Worth it?
 

Mandatory access control is a pain to set up, and not standardized across Linux distributions. But (ab)using ACLs and UNIX discretionary access controls to run programs under secondary accounts is easy, and safe enough on desktops (though not really suitable for multiuser systems).

My question is, how useful is it really?

X11 provides no GUI isolation. (Well, unless you use Xephyr or something, and that breaks copy/paste support.) A compromised browser or chat session can be barred filesystem access to your home directory, preventing it from snooping on your emails or grabbing your SSH keys, or stuff like that; but it can still keystrokes going into any X11 program. It's even possible to take control of an application via X11, from another application in the same X session (though IIRC this would be obvious to the user).

Is filesystem isolation based on separate user accounts actually worth anything, or is it just too easily circumvented on desktops to be of any use?

Mandatory access with Apparmor is not a pain ... I have been using it and the predecessor (Subdomain) since 2001. I recommend it for browsers and other exposed programs. It comes with Suse and Ubuntu.

Another approach is qubes ( http://qubes-os.org/trac ).

Isolation of user accounts on a desktop probably suffers from these issues (in decreasing order as guessed unscientifically by me)

- X11 bugs http://www.phoronix.com/scan.php?pag...tem&px=MTU1NzA
- kernel bugs
- userspace bugs (other than X11)
- misconfiguration (place this higher if badly managed)

Hmm, thanks. Just curious though, wouldn't AppArmor also suffer from X11 related and at least some kernel issues?

Userspace bugs might be possible to mitigate with a very minimal chroot sandbox, but that would be a pain.

Qubes would be interesting to try, unfortunately I don't have any suitable hardware available. Also, to be honest, I've only ever seen bad things and breakage from Xen.

I use multiple users in X. Although I do it to isolate browser cache, game cache, and useful programming stuff into seperate /home/ locations. If I run low on drive space it's pretty easy to nuke an entertainment user to free up that space. I just need to copy the .Xauthority of the user who started X and set the DISPLAY and XAUTHORITY variables for each user after logging in. The variables can be set in the .bashrc.

It's not really that useful for security except for isolating your web browser from important data since cross user file contents cannot be read. But it's useful for space management and keeping task specific bash histories based on the user(s) for a given task. Of course all of this assumes that you're a heavy CLI type and have root access to copy the .Xauthority across users.

Or have access to both accounts and do

You can Apparmor the Xorg too. I've found Xen ok - perhaps it was long ago you tried it.

AppArmor Xorg? Doesn't Xorg have to run with full root privileges, or has that changed recently thanks to KMS?

Re xauth, is there any reason I shouldn't use e.g.

which would supposedly only allow connections from that account?

Xorg is setuid root but also confined by Apparmor. Here's what I'm using although I don't know how useful it is in practice.

I use multiple accounts all the time. For example, all work for a particular (human) client will be done in a separate account. Responsibilities such as accounting or what-not are done in separate accounts. And, in many cases, the associated directories are not-at-all readable by others.

To me, it's the same common-sense that says, "give different people in your office different cubicles or offices." The presence of an ordinary, even-flimsy lock on a door, or of a safety on a gun, is often all that's needed to avoid real trouble.

One solution would be to use a browser/chat/etc... virtual machine, isolated from the rest of your network.