I know SELinux or AppArmor is a better approach, but I'm interested in how much can be done with the normal UNIX DAC system. I already know how to make Firefox run as its own user, using su, xhost, and a user belonging only to its own group, but I have some questions on how to improve this. 1. What's the best way to start Firefox as its own user automatically? I'm guessing using the suid bit is not it, since you might wind up running Firefox as root if the package manager changes the permissions. 2. Is there a better way to use xhost or such? AFAIK I have to run xhost in my users profile script, or wherever, to allow connections to the X display from Firefox's dedicated user. Is there a better way to handle this? (The best I can think of right now is adding a new group, and running xhost from /etc/profile for users in that group. Seems like a bit of a kludge though.) Also, how much of a security hazard is it to allow local connections from the new user? 3. Is there any way to make this Firefox setup safe for multiuser systems? The problem on a multiuser system is that, with Firefox running as its own user, everyone using it has access to other people's profiles, sessions, and downloaded files. That is really really not good. Is there a way to avoid this situation without having a million different profiles for limited Firefox users? Am I correct in suspecting that it would require the use of ACLs, or is it just not possible?