Skip to content

Latest commit

 

History

History
83 lines (61 loc) · 3.76 KB

security.mkd

File metadata and controls

83 lines (61 loc) · 3.76 KB
Raw

a bit of paranoia

I tend to be more than a little paranoid, so this is how my desktop is setup. Unix's standard user-separation is the core idea. I assume privilege escalation from local user to root is not possible (and I keep a close watch for security announcements that might change that assumption -- they're rare but do happen!)

user-separation

I use 3 different userids on my desktop and laptop.

  • sitaram is the main userid

    • no browser is ever run on this userid
      • not even trusted sites like my employer's portal or my bank. The browser is set to a non-existant proxy to prevent even accidental use
    • thunderbird and mutt are used for email
      • thunderbird is set to a non-existent proxy and JS is disabled
      • for mutt, HTML parts are opened by dillo (very light and fast to open, no JS support), again set to a non-existent proxy
    • both have settings that force any attached files to open in a different userid
      • (see "mailcap" section later)
    • similarly, all binary format files (e.g., LibreOffice documents) are opened in the ff userid
      • (see "jailer" program later)
    • sitaram has keyed ssh access to ff (but not the other way around).

  • g3 to do all my gitolite testing in

    • this user also has some firefox profiles that are specific to various accounts (one for my secondary gmail account, one for my bank, and so on)
    • all web browsing to important sites (bank, for example) that requires a login, happens from this userid
    • any downloaded files (e.g., bank statements) have to be manually copied to sitaram (I just use /tmp as a holding area for this).

  • ff for everything else

    • no sudo permissions, not part of wheel group
    • all ad hoc web browsing, RSS feeds, and useless sites like reddit are browsed from here
      • sites which have a login, have their own profiles
    • also, all movies and such are played in this userid

mailcap and jailer

The ff user handles attachments incoming from sitaram as described above. This is done by using a mailcap file, as well as the "application helper" in thunderbird, that point to this script:

#!/bin/bash
# runs on 'sitaram' only; can be used as "application helper" in thunderbird etc

f="$1"
jailer xdg-open "$f"

where jailer is a program that you will also find in this repo. What jailer does is to copy the file to the ff user then invoke the program (in this example xdg-open) from the ff user.

The end result is, if I do open a malicious file that manages to execute something, unless the malware can directly jump to root, it can only see copies of a few files that I opened in the last hour or so of work.

If I want to make changes, I have to save it within the ff userid, then have sitaram copy it over using rsync or scp.

mutt/thunderbird for gmail

I almost never log on to gmail at a browser. Despite google's probably well-meaning but inaccurate nomenclature (they call "device passwords" something like "insecure device access" or some such nonsense), I have setup IMAP access and have separate passwords for mutt and thunderbird to access gmail.

This has several advantages:

  • removes a whole class of security issues that sometimes come up when you link a "web browser" with potentially untrusted mail content.

  • since I explicitly disable javascript (and other forms of remote content is disabled by default anyway) in thunderbird also, this ensures that even the nastiest email-borne malware does not have any impact.

    side note: disabling JS in TB requires going into the config editor; it's not in the menus.

  • you don't have to stay logged in at a browser (leading to various kinds of privacy leaks)