calum.org:~#

Running Firefox as another user, using sudo

Tags: linux, security, firefox, sudo, howto

Added: 2007-04-21 10:33

Running Firefox as another user, using sudo

Share: Share on Facebook Share on Delicious Share on Twitter Share on Email Share on StumbleUpon Share on Yahoo Share on Technorati Share on MySpace Share on Digg Share on Reddit Share on Newsvine


As the browser is one of the most common points of entry into a system, it makes sense to do everything that is possible to secure it.

Any sane user will never browse the web as root (or an account with Administrator access in Windows*), as any malware would then be able to do anything on the whole machine.

* This is insane. If you do it, you deserve everything you get.

So, in Linux, of course I use my normal user account, and trust in the fact that Linux, on an AMD64 processor is fairly safe.

However, this means that should my browser be compromised, the only files it can alter/delete are the ones owned by my own user account. Which is pretty much everything.
So, although something bad wouldn't mean I'd have to reinstall my box, I'd have lost all my files.

To see what files and directories you have write access to now, try this:

find / \( -user $USER -perm +u=w \) -o \( -perm +o=w \)


Solution? Run your browser as another user.

/bin/su -
adduser -m ff (Don't assign it a password)
visudo


(If you don't have visudo, install sudo - emerge sudo)
This will open up a vi window.
Add the following lines to it

User_Alias  X_USERS = yourusername
Defaults:X_USERS env_reset
Defaults:X_USERS env_keep += DISPLAY 
Defaults:X_USERS env_keep += XAUTHORITY 

yourusername           yourhostname=(ff)      NOPASSWD: /usr/bin/firefox


Then transfer your whole .mozilla dir to the ff user directory.

mv ~yourusername/.mozilla ~ff/ -iv
chown ff:users ~ff/.mozilla/ -Rfv


Exit out of the root shell, back to your normal user account.

xhost 127.0.0.1


Add this to /etc/conf.d/local.start (In Gentoo) so you don't have to remember to run it each time.

sudo -u ff -H firefox


Change your standard Firefox launch icon to run this command each time.

You should see a Firefox window pop up, with all your old bookmarks, settings, etc. However, it's running now as "ff".

This means that you can't access any files that the user ff can't access. Which hopefully should include all your files.
Create a directory in ~ff/, and change the permissions to allow your normal user account to read and write files there. You can use this to copy files between your two accounts.
To see what files and directories ff can write to, run:
find . \( -user ff -perm +u=w \) -o \( -perm +o=w \)

It should be much less than before.

(In Windows, you can look into the runas command.)

You can also use this system for maintaining multiple brower "personalities" - so that advertisers can't link user A at site X with user B at site Y.

This was tested on Gentoo Linux, running KDE, and Firefox 2. It works for me.
For further browsing enjoyment, install the Adblock, NoScript, and Flashblock plugins, extensions, add ons (or whatever they're called this week).

Comments

Comment 1

in centos, worked. Thanks.

from root user's gnome-desktop's terminal window, i had to do this:

sudo -u ff -H xhost 127.0.0.1

sudo -u ff -H firefox



how can i run firefox, xchat, etc multiple internet applications by using a same non root username (for example, username: 'InternetApps') ?

Comment 2

Nice. Not as safe as "chrooting" firefox but should work.

Comment 3

"xhost 127.0.0.1" or "xhost localhost" didn't work for me on Debian stable (lenny). "xhost local:" did.

Comment 4

To use or run other multiple internet applications as a non root or less privileged user, following can be done :

Create another user name "InternetApps", instead of "ff", in the way mentioned in the main article.

In this article (author 'Calum') & in user comment 3, replace the all word "ff" with "InternetApps".

List your other internet applications like this:

yourusername yourhostname=(InternetApps) NOPASSWD: /usr/bin/firefox, /usr/bin/xchat, /usr/bin/thunderbird

In my case i used 'root' as 'yourusername', and i used 'localhost' in place of 'yourhostname".

To run Firefox in centos, i used:

sudo -u InternetApps -H firefox &

To run thunderbird:

sudo -u InternetApps -H thunderbird &

... Now, enjoy safer websurfing & safer internet accessing.

This comment shared with you & submitted by Bry8Star.

Comment 5

I copied the "/usr/bin/firefox" script, then renamed that(copy) to "/usr/bin/firefox-InternetApps".

Using the visudo, add this '/usr/bin/firefox-InternetApps' into the NOPASSWD line.

If someone wants to further modify the 'firefox-InternetApps' script, then they can do so.

Now create a Firefox Profile inside firefox for 'InternetApps' user :

sudo -u InternetApps -H firefox-InternetApps -profilemanager -no-remote &

A window will appear, to allow you to add new Profile(s), create 'InternetApps'.

Start firefox & then exit from it.

Now following command will start firefox & take us inside the 'InternetApps' profile :

sudo -u InternetApps -H firefox-InternetApps -p InternetApps -no-remote &

I copied the "/usr/bin/firefox" script (not a link) file, then renamed that (copied) file to "firefox-ia", open "firefox-ia" with a text editor, keep only the top two lines, delete all other lines, then add our commandline, it should look like this:

#!/bin/sh

#

sudo -u InternetApps -H firefox-InternetApps -p InternetApps -no-remote &

# end of file

Then simply type : "firefox-ia" , (without the quote symbols,) to run firefox (under a non root user and with a different firefox profile).

... This process worked on centos 5.6 firefox 3.6.17. ~ Bry8Star.

Comment 6

try using kdesu instead of su, it'll work without any of the other hacks, plus allowing anyone on 127.1 to connect to X isnt secure
Add a comment

Your IP:
Please enter 7017930 here: