Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: running browser as seperate user

  1. #1
    Join Date
    Jul 2012
    Beans
    25

    running browser as seperate user

    Hey all, I was wondering whether any security can be gained by running the brower as a seperate user? E.g. something like adding a new account in a new group and then using su to run the browser? Thoughts all? If this is actually a good idea then can anyone suggest a reasonably detailed method for setting it up.

  2. #2
    Join Date
    Jan 2008
    Beans
    7,749

    Re: running browser as seperate user

    This functionality is built in to Firefox in the form of "profiles":

    http://support.mozilla.org/en-US/kb/...ores-user-data

    If you are using Firefox as Profile A then it will not have access to the passwords, cookies, bookmarks, etc. of Profile B.

  3. #3
    Join Date
    Jan 2013
    Beans
    13

    Re: running browser as seperate user

    Hungry Man wrote a great post on his blog.
    http://www.insanitybit.com/2012/08/0...nt-for-pidgin/
    The example is pidgin, but browser also apply to this.

  4. #4
    Join Date
    Mar 2011
    Beans
    669

    Re: running browser as seperate user

    As Lfekey2 notes, I've written this up for Pidgin. Replacing Pidgin with your browser will have the same effects.

    Users are separated from each other in terms of file access and their ability to communicate with other processes in separate user IDs. By running your program as another user you gain some security.

    There are downsides. When you download something from your browser it'll be in the other users home directory. You can fix this with setfacl but I haven't gotten around to learning how to do this.

  5. #5
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: running browser as seperate user

    Quote Originally Posted by Hungry Man View Post
    By running your program as another user you gain some security.
    If you would collate a top ten list of ITW browser or related attacks Linux users face, what security would you actually gain from using a separate Id?

  6. #6
    Join Date
    Jun 2008
    Location
    Tennessee
    Beans
    3,415

    Re: running browser as seperate user

    Doesn't apparmor already limit what firefox can access on your system?

  7. #7
    Join Date
    Mar 2011
    Beans
    669

    Re: running browser as seperate user

    Apparmor does restrict the browser. It's two different methods with somewhat different results.

    @unspawn,

    Linux desktop users rarely face threats. I'd say Java exploits are the most likely attack vector for a Linux user. In the case of a Java exploit running the browser and plugin as a separate user will mean that only that UID is compromised.

  8. #8
    Join Date
    Jul 2012
    Beans
    25

    Re: running browser as seperate user

    Quote Originally Posted by snowpine View Post
    This functionality is built in to Firefox in the form of "profiles":

    http://support.mozilla.org/en-US/kb/...ores-user-data

    If you are using Firefox as Profile A then it will not have access to the passwords, cookies, bookmarks, etc. of Profile B.
    This is not what I was asking about at all.

  9. #9
    Join Date
    Jul 2012
    Beans
    25

    Re: running browser as seperate user

    Quote Originally Posted by Hungry Man View Post
    Apparmor does restrict the browser. It's two different methods with somewhat different results.

    @unspawn,

    Linux desktop users rarely face threats. I'd say Java exploits are the most likely attack vector for a Linux user. In the case of a Java exploit running the browser and plugin as a separate user will mean that only that UID is compromised.
    So this method would prevent the browser from doing any damage/making any changes to the users home folder?

  10. #10
    Join Date
    Mar 2011
    Beans
    669

    Re: running browser as seperate user

    Yes. It gets its own separate home folder. It can't read or write to the users home folder.

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •