BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] memory management
- Subject: [Discuss] memory management
- From: bogstad at pobox.com (Bill Bogstad)
- Date: Sun, 21 Jun 2015 17:57:06 +0200
- In-reply-to: <5586C7DE.8000700@gmail.com>
- References: <558420D5.6090803@mattgillen.net> <55858DB0.4080709@mattgillen.net> <li6egl6t9pp.fsf@panix5.panix.com> <55863B7B.6020409@mattgillen.net> <55869BA6.4020709@blu.org> <CAJFsZ=qVaDpA0bbGjKy31Zd-Ws=FZ8QwuLN-KK71Xp23DWm9Cg@mail.gmail.com> <5586C7DE.8000700@gmail.com>
On Sun, Jun 21, 2015 at 4:19 PM, Richard Pieri <richard.pieri at gmail.com> wrote: > On 6/21/2015 9:18 AM, Bill Bogstad wrote: > >> I use multiple Firefox user profiles instead. Some of them allow >> cookies/javascript and others do not. >> This probably doesn't help memory usage, but it does allow some (small?) >> security benefits. >> > > Or use a script blocker like NoScript or uBlock. These offer significant > security benefits and significantly reduce memory footprint. > I do that as well. Some of my FireFox profiles have NoScript and others do not. I have have a "junk" profile which has nothing installed, but allows everything, but discards all history/cookies/etc. when I exit it. > > I'm curious though, how this other user account gains access to your X >> server. Allowing other >> user ids to write on your screen/capture key & mouse events seem to me to >> be a potential issue. >> > > May need to use xhost to allow the second user access to the X server, > something like this: > > xhost +SI:localuser:myffuser > sudo -u ffuser /usr/bin/firefox > xhost -SI:localuser:myffuser > > It's not an issue on a single user box; it's the same user (human) with a > different UID. > This is where I disagree. If it doesn't increase security over using the same UID, why bother. And I'm not sure it really increases security all that much. For example, breaking out of a browser to run arbitrary code on the same box as my "real" user id is still a potential security problem. Any OS level bugs that aren't network exploitable are now in play. A bit like having a guest account on the machine. Not something that most people do anymore. Second, if that user id has the privileges to pop up windows on the same X server as my "real" user id; I might get spoofed, have my screen or even possibly my keystrokes captured. It will depend on how my X server is setup (and its security). While it isn't a bad idea to run the browser as a different user, I think it is more like a speed bump or a chain link fence than a vault door. Better might be a chrooted environment, linux container (docker?), or even VM. Now, I have to say that I'm not paranoid enough to bother with this. I guess it depends on why you do it. If it is for user tracking control, I think different user profiles are sufficient. If the intent is better security, I'm not sure it is an improvement. Bill Bogstad
- Follow-Ups:
- [Discuss] memory management
- From: invalid at pizzashack.org (Derek Martin)
- [Discuss] memory management
- References:
- [Discuss] memory management
- From: me at mattgillen.net (Matthew Gillen)
- [Discuss] memory management
- From: me at mattgillen.net (Matthew Gillen)
- [Discuss] memory management
- From: smallm at panix.com (Mike Small)
- [Discuss] memory management
- From: me at mattgillen.net (Matthew Gillen)
- [Discuss] memory management
- From: gaf at blu.org (Jerry Feldman)
- [Discuss] memory management
- From: bogstad at pobox.com (Bill Bogstad)
- [Discuss] memory management
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] memory management
- Prev by Date: [Discuss] memory management
- Next by Date: [Discuss] sandboxing web browsers
- Previous by thread: [Discuss] memory management
- Next by thread: [Discuss] memory management
- Index(es):
