Re: sudo and firefox (was: Off-topic: Gmail Grrrr.)
Hi. On Wed, 25 Dec 2013 08:33:12 +0100 Ralf Mardorf wrote: > On Wed, 2013-12-25 at 08:28 +0100, Ralf Mardorf wrote: > > On Wed, 2013-12-25 at 11:05 +0400, Reco wrote: > > > And that assumes you're keeping browsing history. Why people are doin' > > > this is something that I can never understand. > > > > Ok, in this case I recommend to use > > > > [rocketmouse@archlinux ~]$ pacman -Q tor-browser-en > > tor-browser-en 3.5-1 Wow. You don't take half-measures, do you? I was referring to a simple 'Clear history when Firefox closes' checkbox. > > For my Debian and *buntu install I don't have it installed, since I > > seldom/never need it, it's only installed for my Arch Linux, just in > > case I should need it. TOR has its' uses for me, but installing the thing just to clear browser history is an overkill. > > IOW a history is useful, is useful, is useful :). > > > > About what are we talking? > > > > The easiest way still is to use profiles. Easy != secure. Convenient != secure. > Ok, security is something > > else. At least suppress trackers and if needed use a TOR browser tuned > > regarding to security, like "normal" anonymous Firefox browsing the TOR > ^^ sorry, I already was > thinking about an add-on, but there is the "private window" option, > which is a Firfox default option. > > Firefox browsing doesn't provide a history. 'Private window' is useless for me. I mean - 'not keeping browser history'? I don't keep it anyway. 'Not keeping cookies'? All cookies are purged on browser close. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131225120111.142c711251eb69e16d6ac...@gmail.com
Re: sudo and firefox (was: Off-topic: Gmail Grrrr.)
On Wed, 2013-12-25 at 08:28 +0100, Ralf Mardorf wrote: > On Wed, 2013-12-25 at 11:05 +0400, Reco wrote: > > And that assumes you're keeping browsing history. Why people are doin' > > this is something that I can never understand. > > Ok, in this case I recommend to use > > [rocketmouse@archlinux ~]$ pacman -Q tor-browser-en > tor-browser-en 3.5-1 > > For my Debian and *buntu install I don't have it installed, since I > seldom/never need it, it's only installed for my Arch Linux, just in > case I should need it. > > IOW a history is useful, is useful, is useful :). > > About what are we talking? > > The easiest way still is to use profiles. Ok, security is something > else. At least suppress trackers and if needed use a TOR browser tuned > regarding to security, like "normal" anonymous Firefox browsing the TOR ^^ sorry, I already was thinking about an add-on, but there is the "private window" option, which is a Firfox default option. > Firefox browsing doesn't provide a history. > > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1387956792.8138.98.camel@archlinux
Re: sudo and firefox (was: Off-topic: Gmail Grrrr.)
On Wed, 2013-12-25 at 11:05 +0400, Reco wrote: > And that assumes you're keeping browsing history. Why people are doin' > this is something that I can never understand. Ok, in this case I recommend to use [rocketmouse@archlinux ~]$ pacman -Q tor-browser-en tor-browser-en 3.5-1 For my Debian and *buntu install I don't have it installed, since I seldom/never need it, it's only installed for my Arch Linux, just in case I should need it. IOW a history is useful, is useful, is useful :). About what are we talking? The easiest way still is to use profiles. Ok, security is something else. At least suppress trackers and if needed use a TOR browser tuned regarding to security, like "normal" anonymous Firefox browsing the TOR Firefox browsing doesn't provide a history. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1387956491.8138.95.camel@archlinux
Re: sudo and firefox (was: Off-topic: Gmail Grrrr.)
Hi. On Wed, 25 Dec 2013 07:33:53 +0100 Ralf Mardorf wrote: > On Wed, 2013-12-25 at 10:15 +0400, Reco wrote: > > b) That sneaky sandbox user can override firefox with something > > like /home/user9-boxed/bin/firefox, which is bad. > > Here we are again ;). > > Using a profile, supported by firefox, is the easiest and securest way. An ability to read and write an arbitrary file in user's $HOME cannot be called 'secure'. And even if I'd trust browser (firefox is a free software, after all), there is a matter of plugins. > > I only use another user, instead of a profile, if I need a password, > e.g. to make a history including adult content unavailable for kids. And that assumes you're keeping browsing history. Why people are doin' this is something that I can never understand. Still, even if we disregard this 'browsing history' topic, there is a matter of online advertisement, which is known to show banners based on a user habits. And IMO not all children should see all these banners. > > If you care for security, this is one reason to prefer profiles. If I'd care for security that much, I'd use LXC for running a browser. Since I'm lazy, I just use a couple of accounts. > > Btw. somebody on this list once called it a sledgehammer and I agree, > but if I don't use a profile, but another user then I don't care: > > xhost + > gksudo -u chuser "$*" > xhost - > exit > > I still don't understand what's bad with using profiles. A profile > doesn't have any drawback. See above. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131225110526.16137e81dbcdca35fcd68...@gmail.com
Re: sudo and firefox (was: Off-topic: Gmail Grrrr.)
On Wed, 2013-12-25 at 10:15 +0400, Reco wrote: > b) That sneaky sandbox user can override firefox with something > like /home/user9-boxed/bin/firefox, which is bad. Here we are again ;). Using a profile, supported by firefox, is the easiest and securest way. I only use another user, instead of a profile, if I need a password, e.g. to make a history including adult content unavailable for kids. If you care for security, this is one reason to prefer profiles. Btw. somebody on this list once called it a sledgehammer and I agree, but if I don't use a profile, but another user then I don't care: xhost + gksudo -u chuser "$*" xhost - exit I still don't understand what's bad with using profiles. A profile doesn't have any drawback. :D Ralf -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1387953233.8138.86.camel@archlinux
Re: sudo and firefox (was: Off-topic: Gmail Grrrr.)
Hi.
On Wed, 25 Dec 2013 12:08:01 +0900
Joel Rees wrote:
> On Tue, Dec 24, 2013 at 9:42 PM, Reco wrote:
> > Hi.
> >
> > On Tue, 24 Dec 2013 13:29:28 +0100
> > Ralf Mardorf wrote:
> >
> >> This would lead to "Error: cannot open display: :0.0".
> >> Sure, $ xhost +; sudo -u [...] does the trick,
> >
> > No, if you do it smart way, such as (in .xsessionrc):
> >
> > xauth extract - $DISPLAY | sudo -u user1 -- sh -c \
> > "cat -> /home/user1/.Xauthority"
> > xauth extract - $DISPLAY | sudo -u user2 -- sh -c \
> > "cat -> /home/user1/.Xauthority"
> >
> > And configure sudo to keep $DISPLAY.
> > [...]
>
> I'm using "xhost" to do something similar, maybe the same thing? I
> described it a couple of years ago:
>
> http://reiisi.blogspot.jp/2011/08/simple-sandbox-for-firefox.html
>
> I'd be interested in comments.
Result is definitely the same, although I'd use
xhost +si:localuser:${1}
instead of
xhost local:${1}
Not there is much difference about it, given that Debian (or Fedora, or
any major distribution for that matter) does not ship XSECURITY
extension for a long time.
And I'd use
sudo -H -u ${1} /usr/bin/firefox $2
instead of
sudo -H -u ${1} firefox $2
because:
a) Without -H sudo can keep $HOME, which will force firefox to search
it's profile in the different user's home (kinda beats the purpose of
sandbox, isn't it?).
b) That sneaky sandbox user can override firefox with something
like /home/user9-boxed/bin/firefox, which is bad.
What I'm curious about, is that you did not have to permit sudo to keep
$DISPLAY environment variable. Is it something that Fedora allows by
default? Because Debian surely does not (env_reset by default).
Reco
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
http://lists.debian.org/20131225101505.a913d65d212d52505052d...@gmail.com
