:: Re: [DNG] controlling javascript
Inizio della pagina
Questo messaggio è parte di questo thread:
M-+\il thread completo ordinato per data
M.MMashigaru53 at <-
MMMmarc at ->
Delete this message
Reply to this message
Autore: marc
Data:  
To: Dng
Oggetto: Re: [DNG] controlling javascript
> > Running the browser from an account without access to multimedia
> > devices and confidential files can help too. Just create an
> > account which belongs in the same group as your primary
> > account, and with the right umask, .Xauthority and su(do) configs
> > you can launch firefox with much reduced privileges.
>
> uhm... this is interesting to me
> please could you give more details, better if with a complete example?
> thanks in advance

Right. Lets pretend your normal account is called "you" with group "you"
and lets call the new account "new".

as root
# adduser --gid you new 

 as new ("su - new" will work here)
$ chmod 750 /home/new
$ mkdir /home/new/Downloads
$ chmod 1770 /home/new/Downloads    # 770 may be preferable


as you
$ ln -s /home/new/Downloads /home/you/Downloads-new

And now you have some choices: Simplest is just
to (as you):

$ ssh -X new@localhost firefox

That needs to have openssh-server installed, and is a
bit inefficient, but quick to get going.

Alternative is to change permissions of your .Xauthority

as you
$ chmod 640 /home/you/.Xauthority
as new
$ ln -s /home/you/.Xauthority /home/new/.Xauthority

An "xhost +" would work too, but be sure to
understand the security tradeoff.

Now you can do a

$ su - new
$ DISPLAY=:0 firefox

A quick warning: My systems are rather unusual, and I have typed
this up without testing (bad form, sorry) - so there may be some
interaction I could have missed. For instance you might want to configure a more
relaxed umask for the new account, otherwise you might not be able to read
your downloaded files. And I disable logind/seatd, so who knows what might happen
there. But I have systems which do run firefox under a different
account, so chances are this can work for you too.

I think this is a much nicer approach than just relying
on the containment logic inside firefox - see the other
thread on this mailing list about firefox 128 opt in
user hostile behaviour.

Summary: Your linux box is a sophisticated multi-user
system. Use it. There is nothing stopping you from
setting up many accounts. Eg an account called
say "banker" which you only use for your internet
banking. The surveillance capitalists want to track
you everywhere - confuse them and cultivate multiple
personalities...

regards

marc
Questo messaggio è stato inviato alle seguenti mailing lists:
dng
Informazioni sulla Mailing List | Messaggi correlati		<-Re: [DNG] Falkon Browser is not up-to-dateRe: [DNG] controlling javascript]->

Donate to Dyne.org

dyne.org open discussions
amministrato da dyne.org hackers		Lurker (versione 2.3)