Re: chroot email + browser ???
- From: Menno Duursma <menno@xxxxxxxxxxx>
- Date: Sat, 25 Feb 2006 14:12:22 +0100
On Fri, 24 Feb 2006 16:17:09 +0000, Kevin the Drummer wrote:
[...] My question regards what to do about attacks on an individual
user. I've been pondering the idea of creating a separate user account
for my email and web activities, running those clients as that user, and
the rest of my activities as a standard user. The standard user would
have permissions to do as they pleased with the internet user's files,
but not the other way around.
I've been setting stuff up like that for years, for CLI/TUI applications
it's a simple matter of adding the user, to /etc/suauth a line such as:
# Allow 'menno' access to .fetchmailrc and stuff
pine:menno:NOPASS
And an alias in ~/.profile and ~/.bashrc of user menno (which i may have
setup to autologin also (via /etc/inittab , or [XKG]DM)).
For X applications i use the .Xauthority file although one might (almost)
as well add a line to maybe ~/.xinitrc that does a 'xhost +local:'
provided the machine doesn't provide shell access occasionally. Here is
some what of an attempt at a howto - for FireFox under FVWM on Slackware:
http://groups.google.nl/group/alt.os.linux.slackware/msg/ee6ddf2b4f6c1828
Maybe there's a good way to chroot an email client or a web client.
First thing that comes to mind would be to add a * before the shell in
/etc/passwd (that should chroot to wherever the $HOME field points.)
My goal is to make email and browsing safer.
I don't think chrooting is going to add much (if any) to that end,
provided user/group protection bits are setup properly on your system...
Specifically you may want to look group/other bits on suid binaries:
http://groups.google.nl/group/alt.os.linux.slackware/msg/0664ccdbcf16ebfe
I don't chat or instant message, maybe some folks would have interest in
making those activities safer. What are your thoughts on this?
The network client applications under seperate user accounts, seems like a
good idee to me (obviosly), however chroot might well be more trouble then
it's worth IME. Recovering from a messed-up 'firefox' account, is just
emptying the home-dir and restore the bookmarks file from backup.
Note also with X apps an atacker has pretty much full-control over your
display (and may even be able to spy the keyboard) shoud they hack into
an abitrary application, so this doesn't effectively eliminate (browser)
session hijacking, or even key/pasphrase logging should you use an X-term
for ssh on the same desktop (another X-server on tty8 for instance would
be better still.) But such an attack may not be very easy to automate.
HTH.
--
-Menno.
.
- References:
- chroot email + browser ???
- From: Kevin the Drummer
- chroot email + browser ???
- Prev by Date: Re: What can I do about breakin attempts?
- Next by Date: Re: Dictionary attacks on port 22
- Previous by thread: chroot email + browser ???
- Next by thread: Re: chroot email + browser ???
- Index(es):
Relevant Pages
|
Loading
