Protecting your computer from your browser

Protecting your computer from your browser

As an IT professional, I am aware of the potential malware threats to computers that exist on the internet. Even though the threats are considered minimal for us Linux users, I’m still paranoid enough to try security fixes that are not too difficult and that don’t impair my own usage. For example, I had thought about running my webbrowser as a different user but had figured that it would be a hassle to copy/move the profile and settings over.

Anyway, the other day, I found this ( and decided to give it a shot! The idea is to set up another user who is not a member of the default group ("users") and that can not overwrite any of your or the system’s data. The alternate user has minimal privileges (it’s own group, and no login password). The only way to log in is to su root, then su <user>. NOTE: I decided to name my user “browser” and create a separate “group” that the user was a member of also called “browser”. I also had to add “browser” to the “audio” group in (/etc/group) in order for firefox to be able to play sounds. You can use whatever username you wish.

Here’s what I did:

1) groupadd browser

2) useradd -m -s /usr/local/bin/ -g browser browser

3) Add following line to /etc/sudoers (Only if your browser launching script "renices" the browser to run with higher priority – for better responsiveness):

browser ALL=(root) NOPASSWD: /usr/bin/renice

4) Switch to your own home directory and do:

sudo cp -R ~/.mozilla ~/.gtk* ~/.font* ~/.Xdefaults /home/browser

5) sudo mkdir /home/browser/.tmp

6) su root

7) cd /home/browser

8) chown -R browser:browser *

9) ls -la (make sure all files, including hidden ones are owned by browser).

10) Invoke browser (preferrably in a script or menu) as: sudo su -c “/path/to/your/fav/browser” browser

If this doesn’t work, you may wish to delete everything in /home/browser/.mozilla/firefox/, run Firefox to create a new default "profile", then do:

cp -R /home/<you>/.mozilla/firefox/* /home/browser/.mozilla/firefox/

(and make sure all files are owned by "browser")!

Enjoy safer browsing!

UPDATE 1/2011 (Ubuntu 10.10): I also had to do the following:
(Got all this from here: This was after the new user could NOT connect to the display, then firefox spewed “gnome” errors”.

in /etc/sudoers: – ADD:

User_Alias X_USERS =
Defaults:X_USERS env_reset
Defaults:X_USERS env_keep += DISPLAY
Defaults:X_USERS env_keep += XAUTHORITY

Also, your new browser user still needs to be able to invoke a shell.

Then before invoking browser, one must do: xhost +
which disables X display security – I wish I knew how to just allow the “browser” user to write to the display, but nothing short of this seemed to work for me.


One Trackback

  1. […] also got my browser (Firefox 10) set up and safely working under a separate user (see my previous article post on this subject). This is something I highly recommend to all Linux/Unix users since it’s not hard to do and […]

Feel Free to Comment (Name/Email/Website optional):

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: