Privileges give to your web browser

[Virchanza]

A lot of people will advise you not to run programs such as web browsers and media players as root, reason being that if the program is exploited, the hacker has full access to your system.

However, if you run these programs as a normal user, there's still one very big problem: The program has full access to your home folder.

Now I don't know about anyone else, but the most valuable thing on my machine is my home folder. You could wipe all my applications, all my settings, my entire operating system, and I'll be able to replace it all within a day or two. My home folder however is valuable. I back it up from time to time, but still there's always gonna be stuff that I don't wanna lose.

So with that said, I think something like a web browser should be run as a different user which doesn't have access to your home folder. That way, even if it the program gets exploited, there's not too much it can do.

Has anyone ever played around with this before?

[KMDave]

Did you look into setting up a jailed environment?

[lupin]

A lot of people will advise you not to run programs such as web browsers and media players as root, reason being that if the program is exploited, the hacker has full access to your system.

However, if you run these programs as a normal user, there's still one very big problem: The program has full access to your home folder.

Now I don't know about anyone else, but the most valuable thing on my machine is my home folder. You could wipe all my applications, all my settings, my entire operating system, and I'll be able to replace it all within a day or two. My home folder however is valuable. I back it up from time to time, but still there's always gonna be stuff that I don't wanna lose.

So with that said, I think something like a web browser should be run as a different user which doesn't have access to your home folder. That way, even if it the program gets exploited, there's not too much it can do.

Has anyone ever played around with this before?

One suggested method to get around this that I have heard of is to use a browser virtual appliance, e.g.

Browser Appliance | Virtual Appliance Marketplace


Of course this is really just running a new OS in a VM and browsing in that VM.

Using a jail as KMDave suggested is also good.

In Windows there are various process control tools that can be used to define what particular applications can do (e.g. what registry access can it perform, what files can it write to, etc). Its been a while since I looked at this, but I think the app I was doing this with was WinPooch?

I don't know if there is a Linux equivalent to that, but you may want to investigate Linux Host Based Intrusion Prevention/Detection systems to see if they will fit the bill for controlling what the browser process can access.

[Wolfbane]

For those interested in Windows process control tools I would suggest checking out Sandboxie

"Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer."

[hitthemlow]

Did you look into setting up a jailed environment?

Theres a big problem with that, every jail has its flaws, I know a guy who set up like 90% of his system in an almost flawless chroot jail, all run as a secondary user, etc. I would have thought it close to impossible to get into. Until we found a flaw one day... which would have resulted in anyone spawning a root shell....

ANyway, point of that story is, a jail is good, but it shouldnt be your only protection, regular backups trump an army of HIDS, and firewalls everyday (reverse connection of course)

[lupin]

Theres a big problem with that, every jail has its flaws, I know a guy who set up like 90% of his system in an almost flawless chroot jail, all run as a secondary user, etc. I would have thought it close to impossible to get into. Until we found a flaw one day... which would have resulted in anyone spawning a root shell....

ANyway, point of that story is, a jail is good, but it shouldnt be your only protection, regular backups trump an army of HIDS, and firewalls everyday (reverse connection of course)

Yes, no protection mechanism is perfect. Certain Linux exploits will allow you to break a chroot jail (I believe the udev privilege escalation exploit made public earlier this year can do that), other exploits will allow you to escape from a vm (Immunity's cloudburst) and Im sure there are ways around HIDs systems too. A layered defense is required.

And yes, backups are one of the most important things you can do, but I don't necessarily think they can be described as trumping firewalls and HIDS, their purposes are too different to allow a comparison. You probably didn't mean that backups can be used instead of a firewall or HIDS, but just in case anyone else gets the impression that thats appropriate....

[hitthemlow]

And yes, backups are one of the most important things you can do, but I don't necessarily think they can be described as trumping firewalls and HIDS, their purposes are too different to allow a comparison. You probably didn't mean that backups can be used instead of a firewall or HIDS, but just in case anyone else gets the impression that thats appropriate....

No, not at all what I meant, but I for one know any idiot (well ok not ANY idiot, but alot) can get through firewalls, even with no mapped ports. HIDS is a bit harder, but possible. But, a proper backup system is almost impossible to track down and destroy them all. And in the very worst case, it prolongs the time you have to shut him/her down by hours.

But when I say proper backups, I mean a reverse connecting system, where the backup machine connects to the server, then the logs are cleaned after wards, leaving it almost spotless. I even saw one that was compiled right into the kernel so noone could even see when it was happening. I dont expect most people to do that, but it was awesome nonetheless

[lupin]

I for one know any idiot (well ok not ANY idiot, but alot) can get through firewalls, even with no mapped ports.

If any idiot (or even many idiots) can get through it, the firewall rules probably need to be specified better. Proper filtering on outgoing connections (restricting allowed outbound traffic to what can be controlled) and proxying allowed outbound ports using a decent content inspecting device at least brings things to the level where it takes more than an idiot to get past it.

An example - all outbound traffic denied by default, you only allow SMTP outgoing from your email server, DNS requests are only allowed outbound from your DNS server and web traffic has to go through a decent web filter that whitelists or inspects inside https and performs content checking on http/ftp traffic, blocking executables, binary content, etc. Using a proper proxy device can severely restrict the ability to tunnel out using the CONNECT method or http encapsulation tunneling (httptunnel).

I even saw one that was compiled right into the kernel so noone could even see when it was happening. I dont expect most people to do that, but it was awesome nonetheless

Very cool. Perhaps overkill, but I respect that level of healthy paranoia. Would be a pain having to recompile the kernel whenever you needed to change configuration though (unless the config files were in the filesystem, but then theres a way to detect it...)

[hitthemlow]

If any idiot (or even many idiots) can get through it, the firewall rules probably need to be specified better. Proper filtering on outgoing connections (restricting allowed outbound traffic to what can be controlled) and proxying allowed outbound ports using a decent content inspecting device at least brings things to the level where it takes more than an idiot to get past it.

Yes a network like that would be hard for an idiot to get through, however, I want you to honestly tell me how many networks you have seen with that kind of security.

An example - all outbound traffic denied by default, you only allow SMTP outgoing from your email server, DNS requests are only allowed outbound from your DNS server and web traffic has to go through a decent web filter that whitelists or inspects inside https and performs content checking on http/ftp traffic, blocking executables, binary content, etc. Using a proper proxy device can severely restrict the ability to tunnel out using the CONNECT method or http encapsulation tunneling (httptunnel).

gain, how have you seen like that, im not saying that all firewalls can be bypassed. But I sometimes want to hit my head off my wall at the amount that respond to an ICMP Quench or redirect. Or worse, the amount of ways to utterly destroy the bigger routers with certain BGP and RIP transmissions.

But I think Inter-Router Protocol are a bit over the top for this thread

Oh and to quickly mention somehting I found hillarious, during a recent test (consented of course) I found myself in a really tight chmod jail, I mean it was REALLY TIGHT. After about... oh i dont know... three hours of scouring the commands I had outputed (I always output them to a file so I dont make more logs to clean up) I found that although /etc was a no go, one of its children had better access than it... God knows how it happened, slip of the r key or w/e. But I ended up hitting myself since I had read/write to a very nice file I like to call /etc/inetd.conf. Took all of 15 seconds to gain root once I knew the vuln was there D:

Very cool. Perhaps overkill, but I respect that level of healthy paranoia. Would be a pain having to recompile the kernel whenever you needed to change configuration though (unless the config files were in the filesystem, but then theres a way to detect it...)

I cant remember exactly, but from what I do, it didnt have a conf file. What it did was listen for a specially forged packet containing everything it needed to know, it was some random reserved Type and Code in an ICMP Datagram. The packet contained (encrypted of course) what it needed to connect to and what they were coming for. From what I remember, it was completely transparent except for when it did its backups, on both machines. And even that would be a **** to break since he used some special checksum/encryption that wasnt standard.

Yeah, he was paranoid, but I swear, his machine was like albestos is to flame. Un(hack/burn)able except when the world is ending

[lupin]

Yes a network like that would be hard for an idiot to get through, however, I want you to honestly tell me how many networks you have seen with that kind of security.

My office network does, and Id suspect many of the clients of our secure gateway provider do (mostly Australian Federal Government). My home network does too, but then again Im paranoid

Outside of that maybe not too many, but its asking for trouble in this day and age if you dont lock down your firewall in this way in my opinion...

Oh and to quickly mention somehting I found hillarious, during a recent test (consented of course) I found myself in a really tight chmod jail, I mean it was REALLY TIGHT. After about... oh i dont know... three hours of scouring the commands I had outputed (I always output them to a file so I dont make more logs to clean up) I found that although /etc was a no go, one of its children had better access than it... God knows how it happened, slip of the r key or w/e. But I ended up hitting myself since I had read/write to a very nice file I like to call /etc/inetd.conf. Took all of 15 seconds to gain root once I knew the vuln was there D:

Yes that will do it. Kind of makes a jail pointless if you do that...

I cant remember exactly, but from what I do, it didnt have a conf file. What it did was listen for a specially forged packet containing everything it needed to know, it was some random reserved Type and Code in an ICMP Datagram. The packet contained (encrypted of course) what it needed to connect to and what they were coming for. From what I remember, it was completely transparent except for when it did its backups, on both machines. And even that would be a **** to break since he used some special checksum/encryption that wasnt standard.

Yeah, he was paranoid, but I swear, his machine was like albestos is to flame. Un(hack/burn)able except when the world is ending

Undoubtedly cool, but sounds like it would be a bitch to maintain though. The company would be in trouble if that guy got hit by a truck.