Tue, 16 Jul 2024 20:19:10 +0200 - marc <marc@???>:

> > > Running the browser from an account without access to multimedia
> > > devices and confidential files can help too. Just create an
> > > account which belongs in the same group as your primary
> > > account, and with the right umask, .Xauthority and su(do) configs
> > > you can launch firefox with much reduced privileges.
> >
> > uhm... this is interesting to me
> > please could you give more details, better if with a complete example?
> > thanks in advance
>
> Right. Lets pretend your normal account is called "you" with group "you"
> and lets call the new account "new".
>
> as root
> # adduser --gid you new
>

>  as new ("su - new" will work here)
> $ chmod 750 /home/new
> $ mkdir /home/new/Downloads
> $ chmod 1770 /home/new/Downloads    # 770 may be preferable

>
> as you
> $ ln -s /home/new/Downloads /home/you/Downloads-new
>
> And now you have some choices: Simplest is just
> to (as you):
>
> $ ssh -X new@localhost firefox
>
> That needs to have openssh-server installed, and is a
> bit inefficient, but quick to get going.
>
> Alternative is to change permissions of your .Xauthority
>
> as you
> $ chmod 640 /home/you/.Xauthority
> as new
> $ ln -s /home/you/.Xauthority /home/new/.Xauthority
>
> An "xhost +" would work too, but be sure to
> understand the security tradeoff.
>
> Now you can do a
>
> $ su - new
> $ DISPLAY=:0 firefox
>
> A quick warning: My systems are rather unusual, and I have typed
> this up without testing (bad form, sorry) - so there may be some
> interaction I could have missed. For instance you might want to configure a
> more relaxed umask for the new account, otherwise you might not be able to
> read your downloaded files. And I disable logind/seatd, so who knows what
> might happen there. But I have systems which do run firefox under a
> different account, so chances are this can work for you too.

Thanks for the explaination, Marc


> I think this is a much nicer approach than just relying
> on the containment logic inside firefox - see the other
> thread on this mailing list about firefox 128 opt in
> user hostile behaviour.
>
> Summary: Your linux box is a sophisticated multi-user
> system. Use it. There is nothing stopping you from
> setting up many accounts. Eg an account called
> say "banker" which you only use for your internet
> banking.


> The surveillance capitalists want to track
> you everywhere - confuse them and cultivate multiple
> personalities...

Totally agree!!!

Regards
alexus


--
The only way humans have learned to survive brings them to extinction.
______________________________________________________________________
Public GPG/PGP key: 8FC2 3121 2803 86E9 F7D8 B624 DA50 835B 2624 A36B