# any benefit to running firefox as different user?

## turtles

I have seen some discussion of running browsers like firefox as a different user as a way to chroot them:

http://calum.org/posts/running-firefox-as-another-user-using-sudo

I am interested if there are any real benefits to this?

Is there any documented cases of a linux desktop being backdoored by a webbrowser or flash type stuff?

Thoughts?

----------

## 666threesixes666

as opposed to running firefox as root?  my systems not run as root, i add locked down users.  i wouldnt sudo -u ff -H firefox, id instead be logged in as user and run firefox.  its a very bad idea to run anything interacting with the net as root.

----------

## The Doctor

I do this with skype, spotify, and wine. I haven't felt a particular need to do this with firefox because I generally trust the sites I visit. However, I do think it has benefits since any back door or nasty script is then contained in a separate user account. However, anything you download or upload will have to either go through that account or that account will need read/write access to your main account which defeats the purpose.

I am afraid I don't know of any specific examples of compromised computers. I think java may actually be a bigger threat than flash, but flash has plenty of potential to be nasty on its own.

----------

## PaulBredbury

 *turtles wrote:*   

> any real benefits to this?

 

Security, of course. There's tons of Chinese hackers who would love to hack the Pentagon's mainframe via your PC, since then YOU have to explain what all those suspicious packets were  :Wink: 

Personally, I use (and recommend) AppArmor, to lock down apps, especially Internet-facing apps, proprietary apps, and apps that run as root.

 *Quote:*   

> documented cases

 

A quick google shows: Chrome exploit, Java exploit, Pwn2Own successes.

I experienced the amusing acroread bug which attempted to write a Windows log file via the Adobe Reader web plugin.

Since these plugins (Adobe Reader, Flash, Java) are spawned from firefox, they are under AppArmor's protection too.

Interestingly, Ubuntu does use AppArmor to protect Firefox, but the default Ubuntu rules are so loose (so as not to inconvenience users) that Ubuntu allowed the Reader log file to be written. My rules are much more strict  :Wink: 

 *The Doctor wrote:*   

> will need read/write access to your main account

 

Not really - it's called a demilitarized zone, which for me is a single directory.

----------

## turtles

 *666threesixes666 wrote:*   

> as opposed to running firefox as root?  

  No as opposed to running firefox or chrome as your regular user. 

I am strongly considering making another user for webbrowsers that can not access my normal user account.

I will then have to manually move files to that users account and chown them to upload to the internet which would be a pita.

 *PaulBredbury wrote:*   

> Security, of course. There's tons of Chinese hackers who would love to hack the Pentagon's mainframe via your PC, since then YOU have to explain what all those suspicious packets were 
> 
> Personally, I use (and recommend) AppArmor, to lock down apps, especially Internet-facing apps, proprietary apps, and apps that run as root. 

 

Thanks Paul thats what I meant security benefit that outweighs the decreased usability for users. I have seen those confrences what skilled hackers can do, but I wonder is it really so common now that this should be SOP? 

I'll look into AppArmor.

----------

## PaulBredbury

Nah, it's not worth the effort to set up. Fuhgeddaboutet.

BTW, what's yer IP address, and do you use Internet banking? Just, erm, wondering  :Wink: 

----------

## turtles

Those contests are indeed interesting...   

Why did they drop Ubuntu after the first year when nobody hacked it?

----------

