-
Notifications
You must be signed in to change notification settings - Fork 0
/
usff
executable file
·161 lines (111 loc) · 5.23 KB
/
usff
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
#!/bin/bash
OBSOLETE
--------
I am not using this any more. Please do read the WHY section below for the original motivation. However, after some years of doing this I realised that I rarely, if ever, run more than one such private browser at once, so it seems sufficient to relegate them *all* to a secondary userid and run them from there. Code for that is in the new "usff" to be added here soon.
shopt -s inherit_errexit
set -euo pipefail
IFS=$'\n\t'
die() { echo >&2 "$*"; exit 1; }
cat <<EOF >/dev/null
"usff" stands for "user separated firefox". Or maybe "ultimate separation for firefox" :)
WHY
---
I want persistent logins to several sites, with the ultimate separation
between them, even more than Firefox's profiles or container tabs can give
me. I don't need it for all sites; only for anything to do with money
(bank, credit card, etc., shopping sites, and my primary email where bank
may send statements etc).
Unix's user-to-user separation has been around longer than anything else I
can *trivially* get my hands on (translation: Qubes is overkill and anyway
I don't have the hardware for it!) so why not use that instead? Just
create and use a separate Unix userid for each site you want to log on to.
Advantages:
- Unix OS level separation is much older and much more time-tested than
any firefox-internal mechanisms like container tabs or profiles
(consider the probability of a bug in firefox that breaks the wall
between profiles, and the probability of the same thing happening to
the Unix user-id separation)
- Invoked programs (e.g., PDF reader) also run separated (consider the
likelihood of downloading a malicious PDF, for example)
Disadvantages (also see "REMINDER" section below):
- Any files downloaded that you want to preserve will have to be moved
manually, using some other mechanism. (I typically just use /tmp/tmp,
(chmod 1777, just like /tmp), and a cron job that goes in and wipes
out files older than a day to keep it sane).
HOW
---
ONE-TIME preparation:
- Put this script (usff) somewhere in PATH.
- As root, create the group which will hold all these userids:
groupadd usff
- As root, add this line to the sudoers file (by running "visudo"):
xkcd386 ALL=(%usff) NOPASSWD: ALL
(replace "xkcd386" with whatever your userid is).
ONE-TIME per site you want to enable this for:
- As root, for each site you want to separate, run this (using a
fictional "mybank" as an example):
usff new mybank.com
REGULAR USE
- From your normal userid, (again using mybank as an example) just run:
usff mybank.com
- If you want to open a PDF or a media file from within this browser,
you will either have to rerun the usff command above just before you
open it, or you may choose to comment out the last line in this script
(the "xhost -" line)
- You can even start other programs. Let's say you already downloaded
your bank statement PDF in a session yesterday. Just run
usff mybank.com okular
and hit Ctrl-O to navigate to your file and open it.
REMINDER
--------
Nothing stops you from using a mybank.com firefox instance to log on to,
say, google. This is not meant to protect against **you** :-)
The biggest adjustment is links. Don't click on links that go to some
other site. Instead, start the other browser also (if needed), then copy
and paste the link.
In reality, the sites I use it for rarely have any cross bleed like this
so this has not been a problem for me so far. YMMV.
EOF
# ----------------------------------------------------------------------
sitename_to_username() {
SITE=$(echo "$1" | tr -cd a-z0-9)
SITE=usff-$SITE # mandatory prefix, to distinguish from other users
echo $SITE
# i.e., "mybank.com" becomes "usff-mybankcom"
}
# ----------------------------------------------------------------------
if [[ $USER == root ]]; then
# arg 1 should be "new"; just as a sanity check
[[ $1 == new ]] || die "Usage: '$0' new somesite.com"
shift;
SITE=$(sitename_to_username "$1")
SITEHOME="/home/$SITE"
useradd -m -G usff $SITE
chmod -R go-rwx $SITEHOME
chown -R $SITE:$SITE $SITEHOME
echo "$SITE:"`openssl rand -hex 32` | chpasswd
echo >&2 "Created new user $SITE..."
exit 0
fi
[[ -z ${1:-} ]] && die "need a site name"
# ----------------------------------------------------------------------
SITE=$(sitename_to_username "$1")
SITE=$(cd /home; ls -d usff-* | grep "$1" | head -1 || echo NOTFOUND)
[[ -d /home/$SITE ]] || die "run 'usff new $1' as root first"
shift
sudo -u $SITE id # will provoke asking for password
# browser or other tool to start
if [[ -n "${1:-}" ]]; then
:
elif sudo -u $SITE ls -d /home/$SITE/.librewolf >/dev/null 2>&1 ; then
set -- librewolf
else
set -- firefox
fi
# enable X programs to run as user $SITE
xhost +SI:localuser:$SITE
# start the browser if it's not already started
pgrep -c -u $SITE -f "$1" || dm sudo -u $SITE "$@"
sleep 5
# disable any more X programs from running (see usage notes above)
xhost -SI:localuser:$SITE