Saturday, July 21, 2012

Executing Firefox/Chrome as a restricted user in Ubuntu

Next follows a quick guide (aka, chuletario) to execute Firefox as an isolated user in Ubuntu (Probably will work with minor or none modifications in Fedora, Mandriva or even MacOSX). Executing as an isolated user will allow to protect (even more) our system from the risks of the Internet. A potencially dangerous remote attack using a flaw in our browser (or a flaw in the plugins installed in our browser or the application used to read mail attachements) will be minimized. A virus/worm/"whatever" will be blocked unless it manages not only to break the browser, but simultaneosly scale privileges using a flaw in our OS kernel (remember the maximum principle of security, "NO SYSTEM IS SECURE"). To protect our system just follow the next instructions:
  1. Create a new user with a command similar to:
    adduser internetBrowsing
    
  2. Using you favorite text editor (gedit, vim/gvim, nano, ...) write a script similar to the next one:
     
    #!/bin/bash
    xhost local:
    su -c "firefox 1>/dev/null 2>&1 &" internetBrowsing 
    
    xhost local: will allow local users access to the X session.
    Change 'firefox' by the name of your favorite browser (chrome, chromium-browser, opera, ...). (But don't forget that firefox is best than your favorite browser in such case :) ).
  3. Save it and mark it as executable by executing in a terminal:
    chmod u+x launchBrowser.sh
    
  4. Add our new user to the audio group to allow it access to sound card. Edit the file '/etc/group' (in a terminal execute
    sudo gedit /etc/group
    and add the new user internetBrowsing to the audio group. The /etc/group file must look similar to:
    cat /etc/group | grep firefox
    ...
    ...
    audio:x:29:pulse,internetBrowsing
    ...
    ...
    
    (WARN: Do not delete anything in this file, just add internetBrowsing to the audio group)
  5. Finally just execute the script in a terminal by typing:
    ./launchBrowser.sh
    
    or create a launcher in the desktop.

No comments: