Walls around walled gardens

09.12.2009 21:21

On computers that I trust with private personal information (like credit card numbers, personal e-mail, etc.) I strictly use only open-source software. Although I know this doesn't give perfect security, I still believe the chances of someone shipping malware in such applications for any significant amount of time are pretty low.

However, sometimes the real world interferes with this policy and I'm forced to use some binary blob. For example, we use Skype extensively in Zemanta for communicating between our offices around the world. Another more recent example is Google Chrome browser, which I had to install to test the new extension.

Google ships the latest beta of Chrome as a Debian package. This normally requires root privileges to install, which also means that you're giving root access to the system to any post- or pre-install scripts Google might include in the package. Yeah, right.

However, even if you skip the normal installation process, running untrusted code in your normal user account is asking for trouble. Everything I care on my computer is accessible from my normal user account. Plus it's trivial to do nasty stuff behind a user's back even if you only have access to his account and in a way that is only detectable when logged in from another account (not something I do often).

So, how did I run Google Chrome in a safe way on my computer?

First I created a normal, unprivileged account.

# adduser chrome

I used pwgen to generate a long, random password for the account.

Then I downloaded and unpacked the Google's official Debian package into the home directory of the user I just created.

# cd /home/chrome
# dpkg -x google-chrome-beta_current_i386.deb .

Now, the only step left is to run opt/google/chrome/google-chrome with the chrome UID.

Chrome needs to access your X server in order to display things on the screen and arranging that is not very straight-forward. However, Gnome comes with this helpful little utility called gksu that takes care of all book keeping for you and also allows you to save the chrome user's password so you don't need to enter it each time you start Chrome.

$ gksu -u chrome /home/chrome/opt/google/chrome/google-chrome

And this is it. Chrome should start up and it will only be able to access and modify things in its home directory. Depending on your own home directory permissions it might not even be able read your documents. It's possible to make sharing files between your and Chrome's account pretty painless, but that is left as an exercise for the reader. The command line above can also be converted to a Gnome Panel launcher for one-click start-up.

To eradicate all traces of Chrome, you only have to delete chrome user account and all files owned by it.

This same method works for Skype and probably other proprietary software. The only thing to keep in mind is not to run anything that came from an untrusted source under any other than its very own, special, limited account. Also note that as long as an untrusted application is displaying things on your X server, it can record and intrude on anything you do on that X server, even in other windows. However, once it's stopped (and you can easily check that by looking for processes running under its user account), things should be secure again.

Posted by Tomaž | Categories: Code


>>On computers that I trust with private personal information (like credit card numbers, personal e-mail, etc.) I strictly use only open-source software.

Now that's an interesting question. Has there ever been a malicious patch submitted to a free software project that resulted in a significant security problem? Off the top of my head I can't think of any, though I'm not incredibly au courant.

I remember this attempt in Linux kernel that came close: http://kerneltrap.org/node/1584

Posted by Tomaž

Add a new comment

(No HTML tags allowed. Separate paragraphs with a blank line.)