Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] memory management

On Sun, Jun 21, 2015 at 4:19 PM, Richard Pieri <richard.pieri at>

> On 6/21/2015 9:18 AM, Bill Bogstad wrote:
>> I use multiple Firefox user profiles instead.   Some of them allow
>> cookies/javascript and others do not.
>> This probably doesn't help memory usage, but it does allow some (small?)
>> security benefits.
> Or use a script blocker like NoScript or uBlock. These offer significant
> security benefits and significantly reduce memory footprint.

 I do that as well.   Some of my FireFox profiles have NoScript and others
do not.   I have have a "junk"
profile which has nothing installed, but allows everything, but discards
all history/cookies/etc. when I
exit it.

>  I'm curious though, how this other user account gains access to your X
>> server.   Allowing other
>> user ids to write on your screen/capture key & mouse events seem to me to
>> be a potential issue.
> May need to use xhost to allow the second user access to the X server,
> something like this:
> xhost +SI:localuser:myffuser
> sudo -u ffuser /usr/bin/firefox
> xhost -SI:localuser:myffuser
> It's not an issue on a single user box; it's the same user (human) with a
> different UID.

This is where I disagree.   If it doesn't increase security over using the
same UID, why bother.  And I'm not sure it really increases security all
that much.    For example, breaking out of a browser to run arbitrary code
on the same box as my "real" user id is still a potential security problem.
  Any OS level bugs that aren't network exploitable are now in play.  A bit
like having a guest account on the machine.   Not something
that most people do anymore.

Second, if that user id has the privileges to pop up windows on the same X
server as my "real" user id; I might get spoofed, have my screen or even
possibly my keystrokes captured.   It will depend on how my X server is
setup (and its security).   While it isn't a bad idea to run the browser as
a different user, I think it is more like a speed bump or a chain link
fence than a vault door.   Better might be a chrooted environment, linux
container (docker?), or even VM.

Now, I have to say that I'm not paranoid enough to bother with this.   I
guess it depends on why you
do it.  If it is for user tracking control, I think different user profiles
are sufficient.  If the intent is better
security, I'm not sure it is an improvement.

Bill Bogstad

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /