Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
any benefit to running firefox as different user?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
turtles
Veteran
Veteran


Joined: 31 Dec 2004
Posts: 1341

PostPosted: Fri Jul 19, 2013 7:00 pm    Post subject: any benefit to running firefox as different user? Reply with quote

I have seen some discussion of running browsers like firefox as a different user as a way to chroot them:
http://calum.org/posts/running-firefox-as-another-user-using-sudo
I am interested if there are any real benefits to this?
Is there any documented cases of a linux desktop being backdoored by a webbrowser or flash type stuff?
Thoughts?
_________________
Donate to Gentoo


Last edited by turtles on Sat Jul 20, 2013 10:32 pm; edited 1 time in total
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w

PostPosted: Fri Jul 19, 2013 7:03 pm    Post subject: Reply with quote

as opposed to running firefox as root? my systems not run as root, i add locked down users. i wouldnt sudo -u ff -H firefox, id instead be logged in as user and run firefox. its a very bad idea to run anything interacting with the net as root.
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2546

PostPosted: Fri Jul 19, 2013 8:56 pm    Post subject: Reply with quote

I do this with skype, spotify, and wine. I haven't felt a particular need to do this with firefox because I generally trust the sites I visit. However, I do think it has benefits since any back door or nasty script is then contained in a separate user account. However, anything you download or upload will have to either go through that account or that account will need read/write access to your main account which defeats the purpose.

I am afraid I don't know of any specific examples of compromised computers. I think java may actually be a bigger threat than flash, but flash has plenty of potential to be nasty on its own.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sat Jul 20, 2013 3:15 am    Post subject: Re: any benifit to running firefox as different user? Reply with quote

turtles wrote:
any real benefits to this?

Security, of course. There's tons of Chinese hackers who would love to hack the Pentagon's mainframe via your PC, since then YOU have to explain what all those suspicious packets were ;)

Personally, I use (and recommend) AppArmor, to lock down apps, especially Internet-facing apps, proprietary apps, and apps that run as root.

Quote:
documented cases

A quick google shows: Chrome exploit, Java exploit, Pwn2Own successes.

I experienced the amusing acroread bug which attempted to write a Windows log file via the Adobe Reader web plugin.

Since these plugins (Adobe Reader, Flash, Java) are spawned from firefox, they are under AppArmor's protection too.

Interestingly, Ubuntu does use AppArmor to protect Firefox, but the default Ubuntu rules are so loose (so as not to inconvenience users) that Ubuntu allowed the Reader log file to be written. My rules are much more strict ;)

The Doctor wrote:
will need read/write access to your main account

Not really - it's called a demilitarized zone, which for me is a single directory.
_________________
Improve your font rendering and ALSA sound
Back to top
View user's profile Send private message
turtles
Veteran
Veteran


Joined: 31 Dec 2004
Posts: 1341

PostPosted: Sat Jul 20, 2013 7:19 pm    Post subject: Reply with quote

666threesixes666 wrote:
as opposed to running firefox as root?
No as opposed to running firefox or chrome as your regular user.
I am strongly considering making another user for webbrowsers that can not access my normal user account.
I will then have to manually move files to that users account and chown them to upload to the internet which would be a pita.

PaulBredbury wrote:
Security, of course. There's tons of Chinese hackers who would love to hack the Pentagon's mainframe via your PC, since then YOU have to explain what all those suspicious packets were ;)

Personally, I use (and recommend) AppArmor, to lock down apps, especially Internet-facing apps, proprietary apps, and apps that run as root.

Thanks Paul thats what I meant security benefit that outweighs the decreased usability for users. I have seen those confrences what skilled hackers can do, but I wonder is it really so common now that this should be SOP?
I'll look into AppArmor.
_________________
Donate to Gentoo
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sat Jul 20, 2013 8:27 pm    Post subject: Reply with quote

Nah, it's not worth the effort to set up. Fuhgeddaboutet.

BTW, what's yer IP address, and do you use Internet banking? Just, erm, wondering ;)
Back to top
View user's profile Send private message
turtles
Veteran
Veteran


Joined: 31 Dec 2004
Posts: 1341

PostPosted: Sat Jul 20, 2013 8:48 pm    Post subject: Reply with quote

Those contests are indeed interesting...
Why did they drop Ubuntu after the first year when nobody hacked it?
_________________
Donate to Gentoo
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum