Sunday, August 30, 2009

Slightly more secure

On my home computer I've got a reasonably secure browsing setup (firefox 3.5, noscript, adblock, flashblock, made the flash cookies directory non-writeable, etc). But nothing is perfect. So I decided to raise the bar a bit. I moved my main browsing profile to a separate user account (so that even if it gets cracked, it won't have access to my ssh keys (ssh-agent is convenient, but it could be a hole), data in my home directory (svn working copies, git working copies, random other files) or to my other privileges (sudo access on this and other computers).

My trusted profiles (online banking, power company, mobile phone company, phone/internet company, cable tv company, etc) will probably go into yet another account. I haven't done that yet. But I'll get it done tomorrow, probably.

For reference:

to allow the other user to run firefox on the main display:
xhost local:[other_user_name]

and to actually run firefox as the other user:
sudo -H -u [other_user_name] firefox-3.5 -a [profile] -P [profile]

I don't think the -a should be needed there, but it doesn't work right (loading the default profile instead of the profile I want) when it's removed. So I keep it in.

Update - I wondered why youtube and other videos had no sound in this new setup. Today I realized that it's because the browser is running as the other user, and that other user isn't in the audio group.

Fixed with vigr.

No comments: