web browser suid [was Preemptive strategies]

Robert Connolly robert at linuxfromscratch.org
Mon Sep 29 21:11:58 PDT 2008


In the spirit of splitting up privileges, has there been much consideration 
into installing web browsers as suid user "webbrowser", or something along 
these lines.

These programs do a lot of downloading... for example they could download to a 
partition which is noexec, so nothing downloaded could be executed directly. 
I haven't tried this, and don't know it if works.

A user "webbrowser" would also keep the browser from overwriting files 
in /home/<myuser>.

In Linux, web-based plugin installs are extremely rare unless you're root, in 
my experience.

Partitioning the browser would help reduce privilege escalation, including to 
non-root users (especially non-root users with sudo rules).

This is just a random thought that occurred to me when thinking about the 
problem Windows has when installing all plugins as root, and that it could 
affect Linux users installing/running as their own user.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20080930/1cccd86f/attachment.sig>

More information about the hlfs-dev mailing list