Howto: run firefox (and other things) as a separate user with Xephyr

Perhaps you've tried running Firefox as a separate user and realized you couldn't make it work without compromising Xorg's security (such as it is). This is a somewhat hacky way around X display permissions issues.

The trick is that a Xephyr session running as your user - a limited X server that runs as a window inside your real X session - is accessible by applications running as other users.

So say your user is creatively called "user." You can create a new user:

Code:

# useradd -m -s /bin/bash userbox

Now as your user you run Xephyr from a terminal or whatever, e.g.

Code:

user$ Xephyr :1 -screen 800x600 -host-cursor

or more generally

Code:

user$ Xephyr :[display number] -screen [resolution] -host-cursor

The '-host-cursor' option is important, at least for Firefox - without it the dropdown menus won't work properly.

Now you just su to the new user and run Firefox on the new display...

Code:

# su - userbox
userbox$ DISPLAY=:1 firefox

You now should have a Firefox window inside the Xephyr window. The fonts may be small and the window won't be perfectly sized, but it should work fine.

If you download stuff, you can pull it into your normal user's home. You won't be able to delete it from the new account as your user, but you can do it easily enough from the new one.

As for how much real-world protection this provides, I'm not sure, but I'd hazard it's not much - certainly less than a chroot sandbox. However, if you have the right permissions on your home directory, you can prevent the sandbox user from reading to or writing from your files, while allowing your user to read from the sandbox; so that an attacker would not be able to steal or modify arbitrary personal data, unless (s)he had a privilege elevation exploit on hand. This is done by making your home directory only readable by your user:

Code:

user$ chmod go-rwx ~

Congratulations, you now know how to implement an extremely primitive security measure against a malware threat that might never appear!

P.S. You can also run a window manager in the Xephyr window. Needless to say this helps, since it lets you move and resize applications...

 

And an update: -host-cursor is not necessary if you use a window manager in the Xephyr window. It still tends to produce more desirable behavior though.

Also, I'm currently trying to figure out how to limit a given "box" user to a given "real" user, beyond just keeping the passwords secret. Not that this strategy is likely to be a good one for multiuser setups... Also I'm looking for a way to limit "box" logins to su, to prevent accidental logins as a "box" user.

(I should probably give up on this and just use a Tomoyo kernel or something, but it's kind of fun to see how much can be done with UNIX permissions alone.)