- When browsing sites that need high security (online banking, etc) I use the browser when logged in as myself,
- For regular browsing of important but not financial sites (gmail, facebook, etc) I run a browser as a user named "secure" (could be any other name).
- For likely insecure browsing (reddit, etc) I run a browser as a user named "insecure"
Previously I would have a shell script that did:
ssh -X secure@localhost
with public key auth. Lately I'd switched to a script that did:
xhost +
instead so I could just
sudo -H -u secure chromium-browser
but that's not too secure. I finally broke down and read the xhost manual and am now doing it the right way with:
xhost +si:localuser:secure
xhost +si:localuser:insecure
which at least limits the xhost permission to just those two users.
No comments:
Post a Comment