5

After watching a talk by Douglas Crockford on security where he talks about how browsers got the right answer to the question "Who's interest does the program represent?", I wondered if it was feasible and a good idea to run some programs as another user.

I'm running Debian but I guess this could apply to any OS.

I tend to trust anything coming from the stable, backports and testing repositories (please tell me if I shouldn't) but whenever I install something else, something that isn't on these repositories, I don't really trust it. And I have quite a few of those from Mathematics programs such as Maple to browsers such as Chrome to games such as Heroes of Newerth.

Since that makes me unable to trust my own OS, I boot on a live CD every single time I want to use my credit card.

So I was wondering if just running those programs as a specific user could be of any help. I'm fine with Chrome being able to see everything I do online but that's where it must stop. I'm fine with Heroes of Newerth seeing what mods I installed, updating its files and so on but I don't want it to be able to access the browser's cache or anything else.

From my understanding of how this works, I'd be able to run each not-totally-trusted program as a separate user, giving them the read and write access to only the files they need.

Is this feasible (like, will I be able to still control volume and other per-user things?)? And will it add the kind of security I want?

Thank you in advance for your answers.

P.S.: I've already found this: Execution of possibly harmful program on Linux

But a virtual machine won't work for video games, I'm already doing the live CD thing but it's kind of annoying, the chroot thing seems overly complicated since I'd need to get the libraries etc. and the sandbox is just an upgraded chroot. And he says using users is useless because the files can be accessed if you don't set the proper rights. But I can just remove read access to anyone but me, can't I?

Improve this question
4
  • 1
    SELinux and AppArmor provides more control that user can do x y and z. It allows restrictions to also be placed on the running application. Also, IMO, you are more likely to have your credit comprised from a company who has it then for the compromise to happen on your own machine. Commented Mar 1, 2013 at 18:42
  • Thank you. I'll take a deeper look at SELinux soon (since the other one seems to be far more complicated to install). Commented Mar 1, 2013 at 19:24
  • And the credit card is the only thing I boot a live CD for but I'd prefer to have my mail accounts etc. safe too. Commented Mar 1, 2013 at 19:25
  • @xavierm02 I had exactly the same concern here: unix.stackexchange.com/questions/103999/…. I still think that running it as another user helps more than doing nothing! Besides if you can, just block internet access to this program completely: serverfault.com/questions/550276/… Commented Dec 12, 2013 at 7:12

1 Answer 1

Reset to default
6

Running programs with uid different from the one that owns your data files provides some additional security - the applications shouldn't be able to access the data (or at least to write them if the alternative user is in the same group and you are using umask 0022). On the other hand it's very unlikely to shield you from local exploits - generally you want the alternative user to have a very similar set of rights to your main account. Hence it will be able to attack the system in similar fashion as if it were run with your main uid. If you want it to access your files you basically want to run it under your account.

As far as applications with X11 GUI are concerned, you have to give them access to your X server - which they can misuse. To be safe, you'd have to run those under a separate (e.g. nested) X server.

Using alternative user really won't give you much security (as is also mentioned in the question you are mentioning).

That said, while being paranoid doesn't mean they're not after you, are you sure that your system is the weakest link? You are mentioning emails - are you really in full control of the actual mail accounts? Are these kept on a highly secured server to which only you know the passwords, that is running only a fully patched mail server and kernel, and using only SSL/TLS secured protocols for transferring data to your machine? Have you reviewed the actual implementation of both client and server side of the SSL/TLS libraries? Are you sure your mail client is not spying on you (or at least that it is free of security holes). Your OS and kernel? Your UEFI? Your keyboard? The mail server's UEFI? (I'm intentionally omitting BIOS, since that is as insecure as it can get when it comes to booting.)

On the other hand, do you have a reason to believe that Waterloo Maple or Wolfram Research are putting backdoors into their software? If you are afraid these applications are remotely exploitable, just cut them off from network and that's it.

Improve this answer
14
  • The thing is, I can't control how well my emails are protected and I'm sure they do it better than I would if I were to set my own email server. So I just assume they to it safely enough since I have no alternative. But I can affect what's running on my computer and I'd like to make sure it's not the weakest part or that, if it is, it isn't too weak. Commented Mar 2, 2013 at 11:34
  • 1
    And no, the per program users would have less rights. HoN would have only internet and his files, chrome only internet and printer etc. Commented Mar 2, 2013 at 11:37
  • And I assume my OS etc. is safe too because I'm far from having the competence to understand how it works. But since it's open source, I'm fine. On the contrary, all the programs I named are close-sourced. Commented Mar 2, 2013 at 11:39
  • OK, that's fair enough. Nevertheless, using different user to run program under the same X server is (from security point of view) just half-cooked. Running the programs under separate X servers might help a bit and you can also try to use LXC to separate the processes even more. Full virtualisation is of course the best solution (apart from two physical computers) and there are even some attempts on virtualised accelerated graphic card (the performance wouldn't be what you'd probably need for HoN, but it's under development). Commented Mar 2, 2013 at 20:39
  • 1
    @IliaRostovtsev I think I explained it clearly enough - it doesn't protect you from local vulnerabilities. If you expect the application to be malevolent, then the first question really is is whether you need it that much. If you do, my preference would be running it in a virtual machine or constrained by for example GRSecurity, SELinux or AppArmor. Commented Dec 15, 2013 at 16:02

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.