Re: Almost offtopic question to the "Improving Browser Security" question
On 2015-03-03, someone wrote: > Wow, copying the .Xauthority to the "separated" user worked! > > But I'm still thinking that the "separated" user can give out the command: > > xinput test 6 > > and can see what anyone types in via X. See xauth(1) about generating an untrusted auth token. If you're feeling lazy, enabling ssh X forwarding and using ssh -X user@localhost might be easier, but will be slower.
Re: Almost offtopic question to the "Improving Browser Security" question
http://blogs.gnome.org/alexl/2015/02/17/first-fully-sandboxed-linux-desktop-app/ h, great, looks like X is not soo good regarding security.. maybe Wayland.. On Tue, Mar 3, 2015 at 6:09 PM, someone wrote: > Wow, copying the .Xauthority to the "separated" user worked! > > But I'm still thinking that the "separated" user can give out the command: > > xinput test 6 > > and can see what anyone types in via X. > > > On Tue, Mar 3, 2015 at 5:56 PM, Ryan Freeman wrote: > >> On Tue, Mar 03, 2015 at 05:51:27PM +0100, someone wrote: >> > Hello, >> > >> > If I: >> > >> > pkg_add firefox-esr >> > >> > then I cannot see any separated user for it: >> > >> > grep -i firefox /etc/passwd >> > >> > When will OpenBSD have a separated user for the webbrowser by default? >> >> I think Ted specifically stated that jailing the browser under its own >> user was outside the scope of what he was intending to do.. >> >> > If someone gets in via the webbrowser... it will have the id_rsa, the >> > *.kdb, etc. >> > >> > If it will not be default what are the solutions for the people to >> > run their webbrowser with another user? >> > >> > $ su - foo >> > Password: >> > $ /usr/local/bin/firefox-esr >> > Error: no display specified >> > $ exit >> > echo $DISPLAY >> > :0 >> > $ su - foo >> > Password: >> > export DISPLAY=":0" >> > $ /usr/local/bin/firefox-esr >> > No protocol specified >> > No protocol specified >> > Error: cannot open display: :0 >> > $ >> > >> >> You'll need to copy the .Xauthority file from your main user (the one >> running X) to ~foo/.Xauthority >> >> From there, you can then run X apps as foo and they should work just >> fine. >> >> > Or is X so bad that it's not worth it? Can I run _several X servers_ >> > on my notebook (separated from each other)? >> > >> > Ex.: CTRL+ALT+F2 would bring up the logged in user with it's own X >> > server, and CTRL+ALT+F3 another.. >> > >> > Many thanks,
Re: Almost offtopic question to the "Improving Browser Security" question
Wow, copying the .Xauthority to the "separated" user worked! But I'm still thinking that the "separated" user can give out the command: xinput test 6 and can see what anyone types in via X. On Tue, Mar 3, 2015 at 5:56 PM, Ryan Freeman wrote: > On Tue, Mar 03, 2015 at 05:51:27PM +0100, someone wrote: > > Hello, > > > > If I: > > > > pkg_add firefox-esr > > > > then I cannot see any separated user for it: > > > > grep -i firefox /etc/passwd > > > > When will OpenBSD have a separated user for the webbrowser by default? > > I think Ted specifically stated that jailing the browser under its own > user was outside the scope of what he was intending to do.. > > > If someone gets in via the webbrowser... it will have the id_rsa, the > > *.kdb, etc. > > > > If it will not be default what are the solutions for the people to > > run their webbrowser with another user? > > > > $ su - foo > > Password: > > $ /usr/local/bin/firefox-esr > > Error: no display specified > > $ exit > > echo $DISPLAY > > :0 > > $ su - foo > > Password: > > export DISPLAY=":0" > > $ /usr/local/bin/firefox-esr > > No protocol specified > > No protocol specified > > Error: cannot open display: :0 > > $ > > > > You'll need to copy the .Xauthority file from your main user (the one > running X) to ~foo/.Xauthority > > From there, you can then run X apps as foo and they should work just > fine. > > > Or is X so bad that it's not worth it? Can I run _several X servers_ > > on my notebook (separated from each other)? > > > > Ex.: CTRL+ALT+F2 would bring up the logged in user with it's own X > > server, and CTRL+ALT+F3 another.. > > > > Many thanks,
Re: Almost offtopic question to the "Improving Browser Security" question
On Tue, Mar 03, 2015 at 05:51:27PM +0100, someone wrote: > Hello, > > If I: > > pkg_add firefox-esr > > then I cannot see any separated user for it: > > grep -i firefox /etc/passwd > > When will OpenBSD have a separated user for the webbrowser by default? I think Ted specifically stated that jailing the browser under its own user was outside the scope of what he was intending to do.. > If someone gets in via the webbrowser... it will have the id_rsa, the > *.kdb, etc. > > If it will not be default what are the solutions for the people to > run their webbrowser with another user? > > $ su - foo > Password: > $ /usr/local/bin/firefox-esr > Error: no display specified > $ exit > echo $DISPLAY > :0 > $ su - foo > Password: > export DISPLAY=":0" > $ /usr/local/bin/firefox-esr > No protocol specified > No protocol specified > Error: cannot open display: :0 > $ > You'll need to copy the .Xauthority file from your main user (the one running X) to ~foo/.Xauthority >From there, you can then run X apps as foo and they should work just fine. > Or is X so bad that it's not worth it? Can I run _several X servers_ > on my notebook (separated from each other)? > > Ex.: CTRL+ALT+F2 would bring up the logged in user with it's own X > server, and CTRL+ALT+F3 another.. > > Many thanks,
Almost offtopic question to the "Improving Browser Security" question
Hello, If I: pkg_add firefox-esr then I cannot see any separated user for it: grep -i firefox /etc/passwd When will OpenBSD have a separated user for the webbrowser by default? If someone gets in via the webbrowser... it will have the id_rsa, the *.kdb, etc. If it will not be default what are the solutions for the people to run their webbrowser with another user? $ su - foo Password: $ /usr/local/bin/firefox-esr Error: no display specified $ exit echo $DISPLAY :0 $ su - foo Password: export DISPLAY=":0" $ /usr/local/bin/firefox-esr No protocol specified No protocol specified Error: cannot open display: :0 $ Or is X so bad that it's not worth it? Can I run _several X servers_ on my notebook (separated from each other)? Ex.: CTRL+ALT+F2 would bring up the logged in user with it's own X server, and CTRL+ALT+F3 another.. Many thanks,