[SOLVED] Safer Browsing

[Was_Just19]

Exploits when running as a limited user can have little effect on the OS generally speaking.

To be honest I am more concerned with the files which I, as user, have R/W access to.
They are the files that are important to me. The OS itself I can install in about 30 mins. Some of those media files I have stored would take much longer to replace ......  from backups etc etc.

So, I have been considering isolating my on-line browsing for instance, so that my user files would not be open to abuse should some insecurity occur in the browser in the future. Yes it is unlikely that I would be the one to get hit if it did, but someone has to ...

So the idea is to create a new user especially for browsing (in this case) and to allow me to run Firefox as that new user. Seemed simple at the outset, but like all simple ideas it soon got a little complicated ....  for me ....  mostly because I did not know what I was doing.

I read this post about a similar setup in Gentoo, from a little time back, but had no success unfortunately in PCLOS ....
http://calum.org/posts/running-firefox-as-another-user-using-sudo

I will outline what I did first so that you are with me ....

I created a new user .......   username: browser and no password.

I created a new menu entry - called SafeFirefox - (yes I was being optimistic)

I then added the few lines to the sudoers file to enable firefox to be launched and run in the other user account. Those lines were copied from the linked page above and edited to reflect my machine and user.

I launched Firefox in the new account to create a new profile for it.

OK, so now I have a new SafeFirefox launch menu item in my main account, which looks like this

Code: [Select]

sudo -u browser -H firefox
I appear to be missing something or have something done in error.
After selecting to run the new entry in a terminal and giving it the  --noclose  option I can see the following in the terminal when I try to run Safefirefox

Code: [Select]

No protocol specified
No protocol specified
Error: cannot open display: :0.0
If anyone has any ideas where I went wrong I would be grateful for a pointer.

Alternatively of course if there is an easier method of running Firefox as a different user from my account, (so that Firefox or anything connected with it can have no access to my account and files,) please explain what it is.
The simpler the better   

The simplest method I tried got hung up with Firefox trying unsuccessfully to access my   /tmp   directory and not the other users   /tmp.
So it really has to run in the other user's environment .....  saving files/downloads etc etc to the other account by default.

Hopefully someone will be able to point out where I am going wrong .......

Thanks for reading.

regards.

[Mark342]

Try copying the .Xauthority file from your home directory into the home directory of the user browser.

[Was_Just19]

Try copying the .Xauthority file from your home directory into the home directory of the user browser.

That did it!

Thank you!

I just did a quick test and when I attempt to save a page SafeFirefox opens up the location under /home/browser/

That seems good to me   

Thanks again,

regards.

EDIT:
            Just a thought but is that file likely to either be overwritten again or possibly upset something else?

[Was_Just19]

OK, I am back to get some help from those who know about these things 

The .Xauthority file does change ....  or at least it was changed when I started up this morning.
I tried using  xauth to add from my .Xauthority file to that of user "browser" but that didn't work, and neither did using merge.

Which brought me to look at
xhost
which apparently controls who can connect to my xsession (if that is the terminology).

In any case if I turn off access control then I can run Firfox as user 'browser'. So this command in the shortcut/launch icon works well

Code: [Select]

xhost +; sudo -u browser -H /usr/bin/firefox; xhost -returning the access control to enabled again when Firefox is closed.

Now I don't particularly like that because it disables access control completely.
What I want to do is grant the 'browser' user access control in addition to leaving the other controls enabled.

It seems as if all I had to do was

Code: [Select]

[user@Dell ~]$ xhost + browser
browser being added to access control listbut unfortunately it did not work.
I still get

Code: [Select]

[user@Dell ~]$ sudo -u browser -H /usr/bin/firefox
No protocol specified
No protocol specified
Error: cannot open display: :0.0whereas disabling access control completely allows Firefox to start and run as if launched in  'browser' user's account.

So am I attempting to use this command incorrectly? am I missing part of the options?  will it do as I THINK it should at all?

All thoughts, suggestions, comments welcome   

regards.

[Was_Just19]

OK, finally, after some help, I got it working as I wished.

The command to add the 'browser' user to my access list is as follows

Code: [Select]

[user@Dell ~]$ xhost si:localuser:browser
localuser:browser being added to access control list
[user@Dell ~]$ xhost
access control enabled, only authorized clients can connect
SI:localuser:browser
INET:Dell

So all is needed is to set up that first command to be run at boot and I should be able to 'safe-browse' from the 'browser' user using

Code: [Select]

sudo -u browser -H /usr/bin/firefox.

*****
*****

To recap:-

Edit sudoers file to include the following

Code: [Select]

#To run Firefox as "browser" user to protect main user account
#

User_Alias  X_USERS = user
Defaults:X_USERS env_reset
Defaults:X_USERS env_keep += DISPLAY
Defaults:X_USERS env_keep += XAUTHORITY

user   Dell=(browser)      NOPASSWD: ALL
MyUserName: user    MyPCName: Dell     ==> substitute your details.

(note: I have included ALL packages available so I can use this for most other apps too if I wish. Test by substituting /usr/bin/firefox for ALL on the last line of the edits above.)

Arrange to run this command at each boot:-

Code: [Select]

xhost si:localuser:browser
(where 'browser' is the user I set up to use for safe browsing)

Then change the launch icon application command (for firefox) to

Code: [Select]

sudo -u browser -H /usr/bin/firefox

From then on Firefox gets launched by user browser, so anything that comes in through Firefox does so to the 'browser' user and not to my main user account.
Essentially running Firefox in the 'browser' sandbox.

I think that is it.

All done.

regards.

[pags]

So you now have a user ("browser") on your system without a password?

I'm not sure I'd like that approach...it's opening a new vector to get into your machine (slight, I know, but real none the less  ).

If I were to setup something like this, I would create a secure user, run the command through ssh, with X forwarding (which would handle all your xhost issues), and then use sshkeys to allow the logins to occur without requiring the password when executing the program (this is not dis-similar to my current setup to manage multiple machines across the network  ).

Just some food for thought.

[Was_Just19]

So you now have a user ("browser") on your system without a password?

I'm not sure I'd like that approach...it's opening a new vector to get into your machine (slight, I know, but real none the less  ).

...

Maybe you could explain to me how the approach opens up a new vector ......  I am not sure what you are thinking about.

The 'browser' user is never logged in to.
It will only ever be used by me to isolate my browser or other app I run as 'browser'.
The user has no access to other areas or mount points.
So I am unsure what it might mean to my user security if this 'browser' has a password or not ........

Thanks for your interest .....  looking forward to the extra info

regards.

[pags]

So you now have a user ("browser") on your system without a password?

I'm not sure I'd like that approach...it's opening a new vector to get into your machine (slight, I know, but real none the less  ).

...

Maybe you could explain to me how the approach opens up a new vector ......  I am not sure what you are thinking about.

The 'browser' user is never logged in to.
It will only ever be used by me to isolate my browser or other app I run as 'browser'.
The user has no access to other areas or mount points.
So I am unsure what it might mean to my user security if this 'browser' has a password or not ........

Thanks for your interest .....  looking forward to the extra info

regards.

Just because you won't be logging into it, doesn't mean that a potential attack wouldn't attempt to do so (or use other means of exploiting any accounts).  The lack of a password (in my mind, anyway  ) removes an obstacle that would have had to be overcome (and, of course, a complex password is even more difficult to beat).  In any brute force and/or dictionary based attack (if I were doing it), the first attempted password would be blank...once it's walked through the dictionary to the word "browser", it would be in on the first attempt.

That account has access to the same (system) areas that your regular account does.  It is restricted from other users' data.  It can run any binary installed on your system (as can you), as demonstrated by the fact that it can run Firefox.

I'll concede that this is not wide open (and is also dependent on any other safeguards you have in place, such as external firewalls, etc), but it is a potential starting point for any (theoretical, at the least) malicious exploratory endeavors...

I may well be overly paranoid (and, admittedly, that doesn't mean I myself have implemented the be-all and end-all of any type of security), but I do believe it behooves us to be aware, and make informed decisions (by which, I mean, there is no issue with how you're doing it, as long as you're aware and comfortable with it).
 

[Was_Just19]

Thanks for the extra info .......

in the case described here, it is an attempt to ensure that any breach during surfing does not affect the main user account and data but instead goes to the 'null' account .... 'browser'.

So it seems to me that this is really a choice between the main user account being compromised and the 'browser' account being compromised.

If you think a password would gain anything in this scenario and can explain to me what that is, then I guess I can easily add a password to the account .....  but at the moment I fail to see how it will help in the application I have in mind.

I am just not seeing the advantage at this time tbh ....

Yes, I guess if I was protecting against some brute force break in through the firewall then having a password just might delay things a little.
I would suggest that any break through the firewall would indicate that any password I might willingly use would be easy meat 

[pags]

Fair enough.

As I said, I mentioned only to bring the point forward, not to be critical.  As an isolation mechanism for browsing, it's a good idea.
The ultimate decision, of course, comes down to your perception of ease of use vs. possible exposure (bearing in mind that this was being done to minimize a perceived exposure already -- malicious websites).

I can't think of a way to put a password and not use ssh I think sudo can be setup to allow execution of (a specific) command(s) without requiring the user's password...I would need to review the sudo documentation.  Probably won't happen for a few days 

[Was_Just19]

Fair enough.

As I said, I mentioned only to bring the point forward, not to be critical.  As an isolation mechanism for browsing, it's a good idea.
The ultimate decision, of course, comes down to your perception of ease of use vs. possible exposure (bearing in mind that this was being done to minimize a perceived exposure already -- malicious websites).

I can't think of a way to put a password and not use ssh I think sudo can be setup to allow execution of (a specific) command(s) without requiring the user's password...I would need to review the sudo documentation.  Probably won't happen for a few days 

Sorry if I cam across as defensive .....  not intentional and I'm not in the least upset by your comments ...  quite the opposite, I am grateful for them   
As Sudo can be set to allow execution of any or all commands without the root password, so I guess something similar would be possible if I wished to use a browsing account, with password, but no requirement for me to input it. Yes I did say 'guess' 

Considering the very limited scope of what this is intended to do ..... any malicious site cannot attack my main account, but only the browsing account .... I reckoned it met its target. I did need to ask if you thought it met it or if there was something I had not allowed for.
In this specific case it seems to be a choice (to me) of having my main account compromised by such a vulnerability, or having a browsing account compromised .... assuming that either would be equally at risk from such a vulnerability.

Of course I could use a monstrously difficult name for the browsing account ....  it would not matter in the circumstances as I would only have to put it in the sudoers file and forget it ......  but would that help security in any way in the event of such a vulnerability? The same could probably be done with the password for the account -- if it can be worked through the sudoers file.

Two things are paramount here ....
1.  That I do not introduce any extra vulnerability to the data
2.  That I protect from some future unknown vulnerability in the browser by running it in a 'sandbox' account, which should protect my data from that vulnerability.

The browsing account will never hold anything that I may wish to keep private.
I can regularly delete it and recreate it should I feel the need.

Thanks again for your interest in this. I appreciate the input.
I am grateful for the confirmation that it is a good idea for isolating the browsing from my user account & data.

Anything further you may have to add would be appreciated.

regards.

[pags]

I can't think of anything of value to add at this time, so I won't. 

I think you've met your intended goals, and are aware of the points brought forward so far.  If anyone else cares to chime in, there's a basis to go from...

Since this thread is [SOLVED], I guess we should minimize the posting to it! 

Enjoy your safe browsing haven!

[Was_Just19]

Just a note here to add the following .....

Go to

Configure Your Desktop - Personal - Default Applications - Web Browser

Select "in the following browser"  and in the space provide in place of just 'firefox' ot other browser, type in the following

sudo -u browser -H /usr/bin/firefox

This makes the browser open in the sandbox by default.

Of course change names to suit your own setup.

regards.

[sixthwheel]

Would you not accomplish the same thing (safe browsing) if you just used a live CD to surf the net?

[Was_Just19]

Would you not accomplish the same thing (safe browsing) if you just used a live CD to surf the net?

Yes ......  but I cannot use a liveCD when I am doing other things using my installed OS on my PC. 

There is no way I am going to boot a liveCD every time I come across a link in a post on this forum or any other.

So not practical.   

regards.