sandboxed firefox

Running firefox (on Linux) as a different (unprivileged) user

By Rainer Wichmann rainer@nullla-samhna.de    (last update: Apr 01, 2008)

Internet Explorer 7 (IE7) in Windows Vista runs with low privileges (rather than the privileges of the logged-in user) by default. This is a security feature that mitigates the impact of security vulnerabilities in the browser (or plugins), since even after a successful attack, only very limited privileges are available to the attacker.

While Linux distributions do not support this security model out of the box, Linux has everything needed to implement this with little to no effort. However, even long-time Linux users occasionally stumble over the following problem: How do you authenticate to the X display server?

This article is intended to give a short but concise howto for running firefox (or any other graphical application) under a different (nonprivileged) user.

Step 1: Create the user

In Ubuntu, use the following command to add a user "nonpriv":

sh$ sudo adduser --disabled-password --gecos sandbox nonpriv

In Fedora, use the following commands (as root):

root# groupadd nonpriv
root# useradd -m -g nonpriv -c "sandbox" nonpriv

This will create a new user nonpriv with the group nonpriv (i.e. the user is in the new group nonpriv), and with login disabled. Since the user is not in any other group, it only has access to it's own home directory and to world read-/writeable directories.

Step 2: Create the authentication script

sh$ sudo nano /usr/local/bin/run-firefox.sh
sh$ chmod +x /usr/local/bin/run-firefox.sh

Copy the lines below into a file /usr/local/bin/run-firefox.sh, then run 'chmod' make the file executable (see commands above). Make sure the file is owned by root and only writeable by root!

#! /bin/sh

HOST=`hostname`
XAUTH=`xauth -f "/home/${SUDO_USER}/.Xauthority" list | grep $HOST | tail -n 1`

sudo su - nonpriv -c "export DISPLAY=:0; xauth add $XAUTH; firefox"

Remark: since the script above will be executed under 'sudo', we need to somehow find the location of the .Xauthority file of the invoking user (you). For security, sudo will remove most environment variables, but adds the SUDO_USER environment variable which contains the name of the invoking user (you). Thus we construct the path as "/home/${SUDO_USER}/.Xauthority". If this does not work for you, you may need to adapt the path.

Step 3: Create an entry in /etc/sudoers

sh$ sudo visudo

Use the 'visudo' command to add the following line at the end of /etc/sudoers

your_login_name ALL = NOPASSWD: /usr/local/bin/run-firefox.sh

Start firefox

To start firefox, just run the command /usr/local/bin/run-firefox.sh

Of course, you can also create a launcher button for your Gnome/KDE panel. In Gnome, just right-click on the panel, choose 'Add to panel', then 'Custom application launcher', and fill in '/usr/local/bin/run-firefox.sh' as command.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.0 Germany License.