I tend to be more than a little paranoid, so this is how my desktop is setup. Unix's standard user-separation is the core idea. I assume privilege escalation from local user to root is not possible (and I keep a close watch for security announcements that might change that assumption -- they're rare but do happen!)
I use 3 different userids on my desktop and laptop.
-
sitaram
is the main userid- no browser is ever run on this userid
- not even trusted sites like my employer's portal or my bank. The browser is set to a non-existant proxy to prevent even accidental use
- thunderbird and mutt are used for email
- thunderbird is set to a non-existent proxy and JS is disabled
- for mutt, HTML parts are opened by
dillo
(very light and fast to open, no JS support), again set to a non-existent proxy
- both have settings that force any attached files to open in a different userid
- (see "mailcap" section later)
- similarly, all binary format files (e.g., LibreOffice documents) are opened in the
ff
userid- (see "jailer" program later)
sitaram
has keyed ssh access toff
(but not the other way around).
- no browser is ever run on this userid
-
g3
to do all my gitolite testing in- this user also has some firefox profiles that are specific to various accounts (one for my secondary gmail account, one for my bank, and so on)
- all web browsing to important sites (bank, for example) that requires a login, happens from this userid
- any downloaded files (e.g., bank statements) have to be manually copied to
sitaram
(I just use/tmp
as a holding area for this).
-
ff
for everything else- no sudo permissions, not part of
wheel
group - all ad hoc web browsing, RSS feeds, and useless sites like reddit are browsed from here
- sites which have a login, have their own profiles
- also, all movies and such are played in this userid
- no sudo permissions, not part of
The ff
user handles attachments incoming from sitaram
as described above.
This is done by using a mailcap file, as well as the "application helper" in
thunderbird, that point to this script:
#!/bin/bash
# runs on 'sitaram' only; can be used as "application helper" in thunderbird etc
f="$1"
jailer xdg-open "$f"
where jailer
is a program that you will also find in this repo. What
jailer
does is to copy the file to the ff user then invoke the program (in
this example xdg-open
) from the ff
user.
The end result is, if I do open a malicious file that manages to execute
something, unless the malware can directly jump to root
, it can only see
copies of a few files that I opened in the last hour or so of work.
If I want to make changes, I have to save it within the ff
userid, then have
sitaram
copy it over using rsync
or scp
.
I almost never log on to gmail at a browser. Despite google's probably well-meaning but inaccurate nomenclature (they call "device passwords" something like "insecure device access" or some such nonsense), I have setup IMAP access and have separate passwords for mutt and thunderbird to access gmail.
This has several advantages:
-
removes a whole class of security issues that sometimes come up when you link a "web browser" with potentially untrusted mail content.
-
since I explicitly disable javascript (and other forms of remote content is disabled by default anyway) in thunderbird also, this ensures that even the nastiest email-borne malware does not have any impact.
side note: disabling JS in TB requires going into the config editor; it's not in the menus.
-
you don't have to stay logged in at a browser (leading to various kinds of privacy leaks)