firefox for paranoid people

Han Boetes han at
Mon Oct 2 09:04:33 UTC 2006


Since a recent article about possible zero-day exploits in firefox
I started doing some proactive security, and I wrote down how I
did it. Here it is:

firefox for paranoid people.

If firefox has a separate useraccount you can still browse the
internet but if firefox gets hacked it won't affect the contents
of your homedir, or rather the safety of your data.

So how do you set that up:

1) Make a useraccount for firefox:

   $ sudo groupadd browser
   $ sudo useradd -m -s /usr/local/bin/firefox-rc -g browser firefox

2) Add a line like this line with visudo:

   han ALL=(ALL) NOPASSWD: /usr/bin/su - firefox

3) Copy your ~/.mozilla, your ~/.gtk* and ~/.font* ~/.Xdefaults to ~firefox

   $ sudo cp -R ~/.mozilla ~/.gtk* ~/.font* ~/.Xdefaults ~firefox

4) Create a tmpdir for firefox

   $ sudo install -d -m 700 ~firefox/.tmp

5) Set the right ownership for the firefox homedirectory.

   $ sudo chown -R firefox:browser ~firefox

6) Save this script as /usr/local/bin/firefox-wrapper


   if ! pgrep -x $FOXBIN; then
       xhost +si:localuser:firefox
       sudo /usr/bin/su - $FOXBIN &

7) Save this script as /usr/local/bin/firefox-rc

   export DISPLAY=:0.0 LC_ALL=en_GB TMP=~/.tmp TMPDIR=~/.tmp
   xrdb -load ~/.Xdefaults

8) Give the scripts the right permissions.

   $ sudo chmod 755 /usr/local/bin/firefox-rc
   $ sudo chmod 755 /usr/local/bin/firefox-wrapper

9) Run the script. If things go wrong run it from an xterm to see
   what happens.

   $ firefox-wrapper

The latest version of this document can be found over here:

# Han

More information about the CRUX mailing list