Saturday, November 10, 2012

xhost for specific local user only

On Linux (Mint, lately, but also Ubuntu and others) I run my browsers as three different users.

  • When browsing sites that need high security (online banking, etc) I use the browser when logged in as myself, 
  • For regular browsing of important but not financial sites (gmail, facebook, etc) I run a browser as a user named "secure" (could be any other name).  
  • For likely insecure browsing (reddit, etc) I run a browser as a user named "insecure"
Previously I would have a shell script that did:

  ssh -X secure@localhost

with public key auth.  Lately I'd switched to a script that did:


  xhost +


instead so I could just


  sudo -H -u secure chromium-browser


but that's not too secure.  I finally broke down and read the xhost manual and am now doing it the right way with:

  xhost +si:localuser:secure
  xhost +si:localuser:insecure

which at least limits the xhost permission to just those two users.

No comments: