[lug] Firefox chroot
Hugh Brown
hugh at math.byu.edu
Mon Feb 26 06:23:44 MST 2007
Daniel Webb wrote:
> After reading about so many Firefox exploits, it occurred to me that it is
> probably the most insecure thing I use by far. I created a little Debian Etch
> install with debootstrap and only installed locales and firefox. Does it make
> a bit of difference? Mainly, I'd like to keep an attacker from being able to
> view or delete the contents of my home directories.
>
> I'm especially thinking about the X connection which Firefox obviously has to
> have. If an application doesn't have focus from the window manager, can it
> still see the keystrokes going through the X server (Xvnc in my case)? In
> other words, if Firefox can see everything I'm typing even if I'm in a xterm
> in a different window, there probably isn't much point in what I'm doing. The
> window manager is not running in the chroot jail, it's running on the main
> system, of course. I'm currently just using TCP/IP for the X connection (I
> assume), is a socket connection faster? I also assume I can just hardlink the
> appropriate /tmp/.X11-unix socket, but I'm not really sure and haven't tried
> yet since it's working.
>
Another approach is to run Firefox with the NoScript extension. It
disables all javascript/flash.
Hugh
More information about the LUG
mailing list