Re: Isolating Firefox in a nested X server, and running as a different user
On Sun, Dec 16, 2012 at 02:21:59PM -0800, Robert Connolly wrote: > I would like to hear comments about using pf to filter user/group, > to make sure Firefox uses a proxy. The idea behind this is to stop > Firefox from leaking my IP. Is this the most efficient way to do > this? I block an user using torified firefox with PF but remember there are some issues - ping is done under root account and iirc dns resolving as well. I use dnscrypt-proxy, I used to have pdnsd running which was using dnscrypt-proxy and dns via tor (if tor was running). Too complicated :) jirib
Re: Isolating Firefox in a nested X server, and running as a different user
Ok. I took the suggestions, and now have: Xephyr -screen 1358x693 :1 & ssh -Xf firefox@localhost 'twm -display :1 & firefox -no-remote --display :1' I found the xsel(1) scripts to do copying and pasting from different displays, and it works with some getting used to. I intend to make some title bar buttons to make this easier. I still don't know whether I should be running Xephyr as my user, or as the firefox user. Also, would the sshd_config ForceCommand option be a good idea? ForceCommand twm -display :1 & firefox -no-remote --display :1 It's working well. After using xset to match my mouse settings, I still notice a touch of mouse lag, but it's completely usable. I would like to hear comments about using pf to filter user/group, to make sure Firefox uses a proxy. The idea behind this is to stop Firefox from leaking my IP. Is this the most efficient way to do this? Thanks
Re: Isolating Firefox in a nested X server, and running as a different user
On Sat, Dec 01, 2012 at 08:53:53PM -0800, Robert Connolly wrote: > Hello. > > In an effort to isolate Firefox (or any graphical browser) from my > user account, I have added a 'firefox' user and group, added > 'firefox' user to sshd_config to allow x11 forwarding, and ran the > following commands: > $ Xephyr :1 > $ ssh -Yf firefox@localhost firefox --display :1 > > This can be made nicer with a window manager, but I don't think that > is important here. > > From what I understand, this will prevent Firefox from having access > to my display, such as keystrokes and mouse movement. It will also > prevent Firefox from having access to my go-rwx files, and > modification permissions to my files. This sounds like all of the > isolation I want from Firefox, while still being able to use it. > > I would like to know if I am missing or forgetting anything. I don't > think a chroot for Firefox will gain me much. Other options include > using pf and systrace, but again I don't think this would gain me > much. Newer Xephyr which is not in Xenocara yet offer resizable window. You an also share clipboard with little scripts between X servers. jirib
Re: Isolating Firefox in a nested X server, and running as a different user
You should not use the -Y option to ssh. It gives your 'firefox' session acess to your main X session through the ssh X tunnel (and the DISPLAY environment variable). See http://gouloum.fr/doc/desktop_sec.html for a similar approach (using sudo instead of ssh to switch users). On Dec 2, 2012 5:55 AM, "Robert Connolly" wrote: > Hello. > > In an effort to isolate Firefox (or any graphical browser) from my user > account, I have added a 'firefox' user and group, added 'firefox' user to > sshd_config to allow x11 forwarding, and ran the following commands: > $ Xephyr :1 > $ ssh -Yf firefox@localhost firefox --display :1 > > This can be made nicer with a window manager, but I don't think that is > important here. > > From what I understand, this will prevent Firefox from having access to my > display, such as keystrokes and mouse movement. It will also prevent > Firefox from having access to my go-rwx files, and modification permissions > to my files. This sounds like all of the isolation I want from Firefox, > while still being able to use it. > > I would like to know if I am missing or forgetting anything. I don't think > a chroot for Firefox will gain me much. Other options include using pf and > systrace, but again I don't think this would gain me much. > > Thanks
Re: Isolating Firefox in a nested X server, and running as a different user
On Sat, Dec 01, 2012 at 08:53:53PM -0800, Robert Connolly wrote: > Hello. > > In an effort to isolate Firefox (or any graphical browser) from my > user account, I have added a 'firefox' user and group, added > 'firefox' user to sshd_config to allow x11 forwarding, and ran the > following commands: > $ Xephyr :1 > $ ssh -Yf firefox@localhost firefox --display :1 You might want -no-remote also. Seems to me if I don't do this I have problems with Firefox forking an existing instance when using ssh forwarding as in your example. /jl -- ASCII ribbon campaign ( ) Powered by Lemote Fuloong against HTML e-mail X Loongson MIPS and OpenBSD and proprietary/ \http://www.mutt.org attachments / \ Code Blue or Go Home! Encrypted email preferred PGP Key 2048R/DA65BC04
Isolating Firefox in a nested X server, and running as a different user
Hello. In an effort to isolate Firefox (or any graphical browser) from my user account, I have added a 'firefox' user and group, added 'firefox' user to sshd_config to allow x11 forwarding, and ran the following commands: $ Xephyr :1 $ ssh -Yf firefox@localhost firefox --display :1 This can be made nicer with a window manager, but I don't think that is important here. From what I understand, this will prevent Firefox from having access to my display, such as keystrokes and mouse movement. It will also prevent Firefox from having access to my go-rwx files, and modification permissions to my files. This sounds like all of the isolation I want from Firefox, while still being able to use it. I would like to know if I am missing or forgetting anything. I don't think a chroot for Firefox will gain me much. Other options include using pf and systrace, but again I don't think this would gain me much. Thanks