Gentoo Wiki


First published at

As the browser is one of the most common points of entry into a system, it makes sense to do everything that is possible to secure it.

Any sane user will never browse the web as root (or an account with Administrator access in Windows*), as any malware would then be able to do anything on the whole machine.

So, in Linux, of course I use my normal user account, and trust in the fact that Linux, on an AMD64 processor is fairly safe.

However, this means that should my browser be compromised, the only files it can alter/delete are the ones owned by my own user account. Which is pretty much everything. So, although something bad wouldn't mean I'd have to reinstall my box, I'd have lost all my files.

To see what files and directories you have write access to now, try this:

find / \( -user $USER -perm +u=w \) -o \( -perm +o=w \)

Solution? Run your browser as another user.

/bin/su -
adduser -m ff (Don't assign it a password)

(If you don't have visudo, install sudo - emerge sudo) This will open up a vi window. Add the following lines to it

User_Alias  X_USERS = yourusername
Defaults:X_USERS env_reset
Defaults:X_USERS env_keep += DISPLAY 
Defaults:X_USERS env_keep += XAUTHORITY 
yourusername           yourhostname=(ff)      NOPASSWD: /usr/bin/firefox

Then transfer your whole .mozilla dir to the ff user directory.

mv ~yourusername/.mozilla ~ff/ -iv
chown ff:users ~ff/.mozilla/ -Rfv

Exit out of the root shell, back to your normal user account.

xhost local:ff

Add this to /etc/conf.d/local.start (In Gentoo) so you don't have to remember to run it each time, or to your Firefox launch icon/script.

sudo -u ff -H firefox

Change your standard Firefox launch icon to run this command each time.

You should see a Firefox window pop up, with all your old bookmarks, settings, etc. However, it's running now as "ff".

This means that you can't access any files that the user ff can't access. Which hopefully should include all your files. Create a directory in ~ff/, and change the permissions to allow your normal user account to read and write files there. You can use this to copy files between your two accounts. To see what files and directories ff can write to, run:

find . \( -user ff -perm +u=w \) -o \( -perm +o=w \)

It should be much less than before.

(In Windows, you can look into the runas command.)

You can also use this system for maintaining multiple brower "personalities" - so that advertisers can't link user A at site X with user B at site Y.

This was tested on Gentoo Linux, running KDE, and Firefox 2. It works for me. For further browsing enjoyment, install the Adblock, NoScript, and Flashblock plugins, extensions, add ons (or whatever they're called this week).

Retrieved from ""

Last modified: Sat, 09 Aug 2008 11:46:00 +0000 Hits: 910