Discussion:
Isolating Firefox in a nested X server, and running as a different user
Robert Connolly
2012-12-02 04:53:53 UTC
Permalink
Hello.

In an effort to isolate Firefox (or any graphical browser) from my user
account, I have added a 'firefox' user and group, added 'firefox' user
to sshd_config to allow x11 forwarding, and ran the following commands:
$ Xephyr :1
$ ssh -Yf ***@localhost firefox --display :1

This can be made nicer with a window manager, but I don't think that is
important here.

From what I understand, this will prevent Firefox from having access to
my display, such as keystrokes and mouse movement. It will also prevent
Firefox from having access to my go-rwx files, and modification
permissions to my files. This sounds like all of the isolation I want
from Firefox, while still being able to use it.

I would like to know if I am missing or forgetting anything. I don't
think a chroot for Firefox will gain me much. Other options include
using pf and systrace, but again I don't think this would gain me much.

Thanks
John Long
2012-12-02 11:20:04 UTC
Permalink
Post by Robert Connolly
Hello.
In an effort to isolate Firefox (or any graphical browser) from my
user account, I have added a 'firefox' user and group, added
'firefox' user to sshd_config to allow x11 forwarding, and ran the
$ Xephyr :1
You might want -no-remote also. Seems to me if I don't do this I have
problems with Firefox forking an existing instance when using ssh forwarding
as in your example.

/jl
--
ASCII ribbon campaign ( ) Powered by Lemote Fuloong
against HTML e-mail X Loongson MIPS and OpenBSD
and proprietary / \ http://www.mutt.org
attachments / \ Code Blue or Go Home!
Encrypted email preferred PGP Key 2048R/DA65BC04
Matthieu Herrb
2012-12-02 12:35:58 UTC
Permalink
You should not use the -Y option to ssh. It gives your 'firefox' session
acess to your main X session through the ssh X tunnel (and the DISPLAY
environment variable).

See http://gouloum.fr/doc/desktop_sec.html for a similar approach (using
sudo instead of ssh to switch users).
Post by Robert Connolly
Hello.
In an effort to isolate Firefox (or any graphical browser) from my user
account, I have added a 'firefox' user and group, added 'firefox' user to
$ Xephyr :1
This can be made nicer with a window manager, but I don't think that is
important here.
From what I understand, this will prevent Firefox from having access to my
display, such as keystrokes and mouse movement. It will also prevent
Firefox from having access to my go-rwx files, and modification permissions
to my files. This sounds like all of the isolation I want from Firefox,
while still being able to use it.
I would like to know if I am missing or forgetting anything. I don't think
a chroot for Firefox will gain me much. Other options include using pf and
systrace, but again I don't think this would gain me much.
Thanks
Jiri B
2012-12-03 08:03:10 UTC
Permalink
Post by Robert Connolly
Hello.
In an effort to isolate Firefox (or any graphical browser) from my
user account, I have added a 'firefox' user and group, added
'firefox' user to sshd_config to allow x11 forwarding, and ran the
$ Xephyr :1
This can be made nicer with a window manager, but I don't think that
is important here.
From what I understand, this will prevent Firefox from having access
to my display, such as keystrokes and mouse movement. It will also
prevent Firefox from having access to my go-rwx files, and
modification permissions to my files. This sounds like all of the
isolation I want from Firefox, while still being able to use it.
I would like to know if I am missing or forgetting anything. I don't
think a chroot for Firefox will gain me much. Other options include
using pf and systrace, but again I don't think this would gain me much.
Newer Xephyr which is not in Xenocara yet offer resizable window.
You an also share clipboard with little scripts between X servers.

jirib
Robert Connolly
2012-12-16 22:21:59 UTC
Permalink
Ok. I took the suggestions, and now have:
Xephyr -screen 1358x693 :1 & ssh -Xf ***@localhost 'twm -display :1
& firefox -no-remote --display :1'

I found the xsel(1) scripts to do copying and pasting from different
displays, and it works with some getting used to. I intend to make some
title bar buttons to make this easier.

I still don't know whether I should be running Xephyr as my user, or as
the firefox user.

Also, would the sshd_config ForceCommand option be a good idea?

ForceCommand twm -display :1 & firefox -no-remote --display :1

It's working well. After using xset to match my mouse settings, I still
notice a touch of mouse lag, but it's completely usable.

I would like to hear comments about using pf to filter user/group, to
make sure Firefox uses a proxy. The idea behind this is to stop Firefox
from leaking my IP. Is this the most efficient way to do this?

Thanks
Jiri B
2012-12-17 05:54:39 UTC
Permalink
Post by Robert Connolly
I would like to hear comments about using pf to filter user/group,
to make sure Firefox uses a proxy. The idea behind this is to stop
Firefox from leaking my IP. Is this the most efficient way to do
this?
I block an user using torified firefox with PF but remember there
are some issues - ping is done under root account and iirc dns
resolving as well.

I use dnscrypt-proxy, I used to have pdnsd running which was using
dnscrypt-proxy and dns via tor (if tor was running). Too complicated :)

jirib

Loading...