# Desktop security?

## reddragon

what's a sensible level of security for a desktop configured with performance in mind?

----------

## Ant P.

Lock down your web browser as far as you can tolerate. You can expect most Linux malware to target Ubuntu users, so be wary of random websites that only offer .debs. Don't run heavy GUI apps as root, and avoid like the plague anything that uses a web browser as a GUI (there's a growing number of them), because none of your normal browser's protection will apply there. And if you care about performance, those things are kryptonite anyway.

That should cover everything bar a targeted attack.

----------

## dpaddy

I can't claim to understand whether this might make anything better, but I came across

```
https://wiki.gentoo.org/wiki/Simple_sandbox
```

----------

## Roman_Gruber

I assume a smaller well tested desctop environment is the better use case. e.g. i3wm

when you look at kde you will see how many "open" bugs are in the open world. plasma this or that, this and that. especially kde has a high impact on this forum. 

use only a few packages as possible.

do not carelessly start / enable daemons. configure all of those 

use only well known software. not exotic, which have a smaller user base

my hdd is encrypted. so there is less a chance of someone tempering the disc when I am away

80 percent of gnome2 was not really needed for my desctop needs

--

 *Quote:*   

>  uses a web browser

 

The issue is more users not blocking known bad hosts. I add on a daily basis several hosts to the bad host file

known bad hosts => e.g.  .online, .eu, .xyz (I never saw anything else as bad content on those endings), any facebook related host, 

the issue is guys do not using plugins which restrict

*) media playback => annoying advertisements

*) flash is dangerous, there is a plugin which allows you to see it when you want it, click to run

*) scriptblocker

*) advanced adblocker

*) pop up blocker

*) auto download disable

--

i use 4 different browsers. 

each browser for a different task. so there is still a profile, but less obvious linkable

----------

## dpaddy

Some years ago I was of particular interest to some (people/bots/whatever), so looked into net-firewall/iptables...

----------

## saturnalia0

 *Ant P. wrote:*   

> Don't run heavy GUI apps as root

 

I'd say don't run them as your regular user... https://wiki.gentoo.org/wiki/Simple_sandbox

Don't run anything as root unless it's really necessary.

----------

## reddragon

this looks promising

https://github.com/projectatomic/bubblewrap

its available here

https://gpo.zugaina.org/sys-apps/bubblewrap

----------

## Proinsias

 *Ant P. wrote:*   

> Lock down your web browser as far as you can tolerate.

 

Could you elaborate a little? I use Firefox with noscript & ublock origin, I tend to watch video via mpv. This is more for aesthetics than lockdown, but curious as to the levels of lockdown.

----------

## Hu

NoScript is a good start.  You might also want Policeman, which lets you define on a whitelist basis which domains can use content from other domains, including specifying on a per-content type basis (e.g. may include styles, but not embed images).  Much like with NoScript, you should expect to do some work preparing a whitelist when you first activate it.  Once you have the whitelists for your preferred sites done, you can mostly forget about it.

For anti-tracking, Self Destructing Cookies can arrange for cookies to be deleted when you close all the tabs associated with the cookie origin.

----------

## fcl

 *Hu wrote:*   

> NoScript is a good start.  You might also want Policeman, which lets you define on a whitelist basis which domains can use content from other domains, including specifying on a per-content type basis (e.g. may include styles, but not embed images).  Much like with NoScript, you should expect to do some work preparing a whitelist when you first activate it.  Once you have the whitelists for your preferred sites done, you can mostly forget about it.
> 
> For anti-tracking, Self Destructing Cookies can arrange for cookies to be deleted when you close all the tabs associated with the cookie origin.

 

Policeman: Last Updated: January 18, 2015

I think uMatrix does everything Policeman does and better. I actually used Policeman until uMatrix became available to Firefox. An easier choise is to use just uBlock Origin and block 3rd party frames and scripts with it (advanced mode). It requires way less manual configuring.

----------

## Ant P.

I'm using separate Firefox profiles for separate groups of websites, uMatrix in whitelist-only mode, SDC, and one other extension "Consistent HTTPS". I used to use HTTPS Everywhere but it's too bloated, RAM-hungry and slow to start - it would let http links slip through when the browser first starts.

----------

## Proinsias

Decided to try running it in a sandbox starting from scratch. Got SDC, Consistent HTTPS, NoScript, uMatrix, Watch with MPV & Vimperator, still need to set up my other profiles. Everything is peachy at the moment but I suspect only being able to save to /home/ff could become tiresome, time will tell.

Thanks for the tips guys.

----------

## fcl

You should be able to allow access to ~/Downloads for the sandboxed Firefox, depending on the sandbox implemention used

----------

## saturnalia0

 *Proinsias wrote:*   

> Decided to try running it in a sandbox starting from scratch. Got SDC, Consistent HTTPS, NoScript, uMatrix, Watch with MPV & Vimperator, still need to set up my other profiles. Everything is peachy at the moment but I suspect only being able to save to /home/ff could become tiresome, time will tell.
> 
> Thanks for the tips guys.

 

I usually save things to /tmp, though saving them to /home/ff + `chown -R ff:youruser /home/ff` + `find /home/ff | xargs -I'{}' chmod g+rwx "{}"` should work as well. The problem with saving to /tmp is that it has the sticky bit set, and even if you do `chmod -t /tmp` you'd have to do it every time you reboot.

PS If by any chance you're not happy with Vimperator I suggest taking a look at pentadactly.

----------

