Hi, Since a recent article about possible zero-day exploits in firefox I started doing some proactive security, and I wrote down how I did it. Here it is: firefox for paranoid people. If firefox has a separate useraccount you can still browse the internet but if firefox gets hacked it won't affect the contents of your homedir, or rather the safety of your data. So how do you set that up: 1) Make a useraccount for firefox: $ sudo groupadd browser $ sudo useradd -m -s /usr/local/bin/firefox-rc -g browser firefox 2) Add a line like this line with visudo: han ALL=(ALL) NOPASSWD: /usr/bin/su - firefox 3) Copy your ~/.mozilla, your ~/.gtk* and ~/.font* ~/.Xdefaults to ~firefox $ sudo cp -R ~/.mozilla ~/.gtk* ~/.font* ~/.Xdefaults ~firefox 4) Create a tmpdir for firefox $ sudo install -d -m 700 ~firefox/.tmp 5) Set the right ownership for the firefox homedirectory. $ sudo chown -R firefox:browser ~firefox 6) Save this script as /usr/local/bin/firefox-wrapper #!/bin/sh PATH=$PATH:/usr/X11R6/bin FOXBIN=/usr/local/bin/firefox if ! pgrep -x $FOXBIN; then xhost +si:localuser:firefox sudo /usr/bin/su - $FOXBIN & fi 7) Save this script as /usr/local/bin/firefox-rc #!/bin/sh export DISPLAY=:0.0 LC_ALL=en_GB TMP=~/.tmp TMPDIR=~/.tmp xrdb -load ~/.Xdefaults /usr/local/bin/firefox 8) Give the scripts the right permissions. $ sudo chmod 755 /usr/local/bin/firefox-rc $ sudo chmod 755 /usr/local/bin/firefox-wrapper 9) Run the script. If things go wrong run it from an xterm to see what happens. $ firefox-wrapper The latest version of this document can be found over here: http://www.xs4all.nl/~hanb/documents/firefox_for_paranoid_people # Han
participants (1)
-
Han Boetes