4

Is there a way to deny Firefox access to files in the home directory? Every time an ADSL modem light is blinking suspiciously, I am worried about my files being transferred to a hacker.

wjandrea
  • 14,236
  • 4
  • 48
  • 98
Dmytro
  • 41
  • 3
    This might sound sarcastic, but what if the ADSL modem light is blinking because you're using the internet? – grooveplex May 19 '17 at 19:05

2 Answers2

2

Revised, incorporating Dmytro's insight regarding the necessary xhost commands, better use of sudo making this much simpler, & equiping /home/foxy/ with the necessary files. Works for me on 16.04 with plain Openbox (like a leaner Lubuntu).

Yes, you could do that. Create another user account, we'll call it "foxy", either with something like System Settings, or from a command line:

sudo adduser foxy

Now you need to provide that user with the config files needed to use Firefox. You can probably do that most properly by relogging as foxy and doing it from there, but I found it was sufficient to copy the "hidden" "dot files", like .config and .mozilla from my home directory into /home/foxy/ & then:

chown -R foxy:foxy /home/foxy

At this point, since you shouldn't need to ever log in as foxy any more, it might be a good idea to reset foxy's password to some absurdly long and random string. Seriously long and random since you won't need to remember it. This is similar to the approach used by Ubuntu to semi-disable the root account. This isn't a real big deal since foxy isn't going to be in the sudoers file anyway, but as long as we're being seriously hard-ass 'noid, let's go all the way. Since you will need to enter it twice you'll want it in the clipboard or in an open terminal or editor to copy it from. But be careful not to write it to a drive. You could even make and mount a ramfs filesystem and write a text file to it, then open the text file and create your long random string in it and copy from there. For special high security purposes ramfs is superior to tmpfs because it never gets written to swap. (But be careful using it more generally because it will cheerfully use ALL your RAM if you keep putting things in it.) Anyway, to change foxy's password, use:

sudo passwd foxy

Now we make 2 tiny scripts. We'll call the first one ffx and put it in some directory on the path. Like this:

#!/bin/bash    
# This file, ffx, needs to go in a directory on the path
sudo /path/to/a_password_exempted_directory/ffx_2.sh

(You could probably do that as a function or alias and load it with your bash profile or one of the similar files, instead of making it a script on your path, if you prefer, but I haven't tested that.)

The other we'll call ffx_2.sh and put in a directory that has been exempted from the requirement of typing a password with sudo with the appropriate lines in /etc/sudoers. Like this:

#!/bin/bash
# This needs to go in a directory that is exempted from password requirement in /etc/sudoers

# Allows foxy to access the logged in user's xserver
xhost nis:foxy@

# starts firefox as foxy with home set to /home/foxy
sudo -u foxy --set-home firefox

# Removes foxy's privilege to use the xserver
xhost -nis:foxy@

I'm following Dmytro's 'noid approach and turning on foxy's access to the x server only when using Firefox and turning it off afterwards. I don't think this is actually necessary. Maybe it is more secure, but that isn't obvious to me. I think you can actually just run the first xhost command:

xhost nis:foxy@

ONCE & then foxy's access will persist across reboots. If I'm right and you do it that way, you can take both the xhost commands out of the script, after running the first command once.

Either way, you can invoke this with ffx from a terminal, run box or manually edited menu like the Openbox menu or 9menu. You can make a desktop file for it and put it in /usr/share/applications and adaptive menus like the debian menu from the package menu or, I'm told, Launcher in Unity, should pick up on it.

To anticipate an objection, this is NOT a security risk like plain sudo firefox or gksudo firefox would be. Sudo and similar commands are fundamentally about doing something as some other user. But they are used to do something AS ROOT so often, they default to -u root (which you can also do explicitly) to save keystrokes. It is not using sudo with Firefox that is dangerous, it is using sudo to run Firefox AS ROOT that is dangerous. When you use the -u option and specify another ordinary user, you aren't running Firefox as root.

Comparison to the script-blocking approach:

cons:

  • more work to implement than noscript or librescript

  • less of a "standard" approach

  • script blockers CAN reduce resource usage, this doesn't

pros:

  • Firefox can access all functions of script dependent websites.

  • Doesn't require any tweaking after initial implementation.

  • Easier to use.

  • You can STILL use Firefox extensions to reduce resource usage. Noscript isn't the only option for that. Flashblock, FlashStopper, Gifblock, Image Block, etc.

Lew Rockwell Fan
  • 590
  • 1
    Nice use of something we normally don't think about (in terms of how it really works). – Zeiss Ikon May 19 '17 at 14:56
  • Thank you, guy (Lew Rockwell Fan)! I was thinking about this. We are thinking of the same. But! Firefox from user foxy still opens files from user1 home folder. Perhaps files in user1`s home folder should be with chmod 700. Then foxy`s firefox can not access files from user1`s folder. Right? – Dmytro May 19 '17 at 15:39
  • And yes, you could reset perms in your regular /home/username. Mostly they should owned by your regular user and readable and writable by your regular user and primary group, but not by anybody else. I'd have to look up the numeric value - I use the human readable syntax when chmoding. – Lew Rockwell Fan May 19 '17 at 16:11
  • BTW, I did test this as far as verifying the effect of the procedure on the value of the HOME variable, before posting it. I'm running 16.04 xenial 64 bit. I'm curious to see your response. If you didn't skip a step, I'll test the whole thing to see why it doesn't work as I'd expect. – Lew Rockwell Fan May 19 '17 at 16:15
  • 1
    Sorry, I can not be at askubuntu.com now anymore. I use a bash script at gnome-panel: xhost +local:foxy [next line] echo 'password' | sudo -u foxy firefox [next line] xhost +local:user1. It is working perfect. – Dmytro May 19 '17 at 16:39
  • Good. Glad you got some variation working. Ironically I just came back to this tab to downvote my own answer because, now I'm testing the entirety of it and I haven't made it work yet. Apparently I need to do a better job of creating the user foxy and setting foxy's privs. Since you got it to work, you ought to answer by amending my answer with your revision and accept your own answer. I'll upvote it. I assume you get points for answering your own question. Since you DID get to work, instead of downvoting my own, I'll research adding users properly, which is where I erred, & revise it. – Lew Rockwell Fan May 19 '17 at 17:02
  • See What is the difference between adduser and useradd? – wjandrea May 19 '17 at 19:58
  • Lew Rockwell Fan, xhost +local:foxy is in my script. I only have shown my script. It is optional for older computers. – Dmytro May 20 '17 at 09:32
  • So, what I have done. Created user2. Changed permission of user1`s folder to 700 (user:7,group:0,others:0) (7=4-read+2-write+1-execute) (chmod -R 700 /home/user1, -R - recursively). Launched firefox (from terminal: echo 'password' | sudo -S -u user2 firefox or from shell script at gnome-panel: echo 'password' | sudo -u user2 firefox, if it is needed, add xhost +local:user2 before echo 'passw...). – Dmytro May 20 '17 at 09:46
  • Your use of "local:user2" vs. my "nis:foxy@" may be better. I still don't entirely understand xhost "names". My breaking it down into 2 scripts & making one exempt from the requiring password entry by editing sudoers avoids the security problem of having your password in a script and avoids the alternate of having to type a lot to invoke Firefox. Putting your password in a script is generally considered a major vulnerability. With the double script approach, ffx is all you have to remember or type. You could keybind the first script to something like cntrl-f if you like keybindings. – Lew Rockwell Fan May 20 '17 at 15:57
  • 1
    In case I wasn't clear, I reiterate: With the double script approach with ffx on the path and with a command in it to invoke ffx_2.sh with sudo, & ffx_2.sh exempted from requiring a password, the script ffx_2.sh runs as root and firefox runs as foxy without the danger or your password being in a script, and without having to type it in. If you really want a terse command you could call the first script "f" instead of "ffx". Minimal typing, no extra terminals, no security hole that I can see. – Lew Rockwell Fan May 20 '17 at 16:09
  • I added a little bit of overkill regarding a password for the foxy account. – Lew Rockwell Fan May 20 '17 at 16:59
  • chmod -R o-rwx /home/user1 instead chmod -R 700 /home/user1 might be better – Dmytro May 21 '17 at 09:22
  • So as to avoid changing perms for owner or group, but only for other? Yes, I think you're right. – Lew Rockwell Fan May 21 '17 at 16:54
1

As a simple and straightforward solution, you can install noscript Firefox extension.

By default it disables local file access. You can see it in noscript options → Advanced tab → ABE sub-tab → SYSTEM rules.

It also lets you globally control Javascript execution, and on a per domain basis. If you don't need these feature you can disable in the extension settings (but according to the point of view of your question, I think you will find it useful).

You can get more info at their website noscript.net.

wjandrea
  • 14,236
  • 4
  • 48
  • 98
dgonzalez
  • 7,010
  • 6
  • 19
  • 28
  • 1
    Thank you for the answer, Dgonzalez! I have noscript installed, but did not know the feature of disabling local file access. Perhaps it have new versions of noscript, but unfortunately I can not afford them to myself. Thank you, anyway! – Dmytro May 19 '17 at 16:06
  • @Dmytro the extension is totally free & open source (and free of charge too) and that option is enabled by default. I updated my answer. – dgonzalez May 19 '17 at 16:17
  • 1
    I upvoted this. Noscript is very powerful. I'd have mentioned it myself if I had thought of it. BUT - it is a royal PITA to get it set just right to enhance security without breaking half the sites on the web. There is also librescript, which ain't a whole lot easier. I'd like to hang the SOB that invented javascript. – Lew Rockwell Fan May 19 '17 at 16:19