Many years ago, when I installed Red Hat 7 as my primary Internet connected workstation, it was like the surfing the web in 1995. Before Firefox, we had Mozilla 1.0 and it was a pleasure to use. It was the first browser with a pop-up blocker and I could count on Linux’s Unix based security model to keep a website from pwning my whole machine. Life was good back then. Now with Linux used in smart phones and more popular on the desktop, the crappyness of the Internet has come here.
If you go to those black hat conferences, you will find that nobody tries to pwn a Linux machine the way they do a Windows one. Instead, the trick is pwn userland. It is almost as good as the whole machine. An attacker can obtain sensitive documents, keepassx databases, tax returns, photos, pretty much everything you have with just access to your $HOME directory.
So how do you prevent it? With Linux and most other Unix based desktops it is possible to run the as a different user in the desktop. All you have to do is:
- Create a low privileged user such as “nobody” or “interwebs”. Add your main user to it’s private group
- Install sshd if it is not already installed
- Set up password user/host equivalence between your main account and the low privileged one.
- Set up a command to execute the browser over SSH the same way you might use xming on Windows to run the OUI, and put a short cut on your desktop with a different icon.
- Use the “trusted” browser to access your bank, email, paypal and such. Use your new “untrusted internet” browser to surf the rest of the interwebs.
Creating the low privileged account:
Set up passwordless ssh user/host equivalence:
[oracle@oracle-linux ~]$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/oracle/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/oracle/.ssh/id_rsa. Your public key has been saved in /home/oracle/.ssh/id_rsa.pub. The key fingerprint is: 73:06:f4:aa:fd:b2:e0:fa:86:69:08:09:ae:75:ac:0c email@example.com The key's randomart image is: +--[ RSA 2048]----+ | . | | . . | | . . | |. o | |o. . S o | |E.. o o + | |.= + oo . | |. + +..... | | ..+o .o. | +-----------------+ [oracle@oracle-linux ~]$ ssh-copy-id firstname.lastname@example.org email@example.com's password: Now try logging into the machine, with "ssh 'firstname.lastname@example.org'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. [oracle@oracle-linux ~]$ ssh email@example.com date Fri May 29 21:24:41 EDT 2015 [oracle@oracle-linux ~]$
So try running the browser through ssh and xwindows:
[oracle@oracle-linux ~]$ ssh -Y firstname.lastname@example.org firefox &  2304 [oracle@oracle-linux ~]$ /usr/bin/xauth: creating new authority file /home/interwebs/.Xauthority
Now that the broswer has started, you will notice it doesn’t have any of your bookmarks, browser customizations, extenstions, nor anything else assoicated with your main account. You can further verify it is using the low privileged account by accessing the file menu and seeing what home directory you are in:
There you are! Create a shortcut on on the desktop, preferably with a spammy looking icon so you don’t accidentally use it to login to your bank.
- Posted in: Uncategorized