Isolation between users SOLVED

Questions about applications and software
Forum rules
Before you post please read how to get help
Post Reply
WHVW
Level 4
Level 4
Posts: 334
Joined: Tue May 19, 2015 4:31 pm

Isolation between users SOLVED

Post by WHVW » Mon Feb 11, 2019 12:45 am

Hi all:

From my first days in Linuxworld, I noticed that the programmes one installed for root were not <<bridge-overs>> of the same programmes my regular user used, but completely separate instances. Indeed, under normal circumstances, my regular user cannot access the files in root's folder. But that's root, and one would expect this to be so for obvious reasons.

What I am now wondering about is if <<regular user 2>> would have the same degree of isolation from <<regular user 1>> as either of them would from root (?). Or is root the only user with those special protections? Are <<regular users 1 and 2>> isolated from each other but not quite as completely as either of them from root? Or, are there other considerations that make such an approach useless from the standpoint of security?, (i.e. that <<regular user 2's>> programmes can have an easy, unimpeded look at <<regular user 1's>> stuff). Perhaps if the isolation isn't there, there are settings to make it so?

Thanks.
Last edited by WHVW on Tue Feb 12, 2019 2:43 pm, edited 1 time in total.

gm10
Level 15
Level 15
Posts: 5682
Joined: Thu Jun 21, 2018 5:11 pm

Re: Isolation between users

Post by gm10 » Mon Feb 11, 2019 12:58 am

By default user profiles are only protected against write access, not read access. To prevent read access to your profile, run

Code: Select all

sudo chmod 700 ~
Note that root has access to everything all the time, and thus so will other users with sudo access or knowledge of the root account password.

User avatar
Pierre
Level 18
Level 18
Posts: 8029
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: Isolation between users

Post by Pierre » Mon Feb 11, 2019 3:53 am

on some pf my PCs there is more than One User & they do share a common /home partition,,
as this is often how I've achieved some multi_boot machines, and where there is an conflict
with similar user-names in that common /home partition.

now, this does come with some advantages - - the ability to Read Files within another user-name,,
is quite often, an quite - handy idea.

but, in all cases, the ability to Write to that other user-names folder, that is within that common /home,,
does in general have to be made at an Elevated Privilege Level aka Root - usually.
- - there is a way to elevate another ordinary user - - as well, but for myself - - Root is just easier to achieve.
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.

WHVW
Level 4
Level 4
Posts: 334
Joined: Tue May 19, 2015 4:31 pm

Re: Isolation between users

Post by WHVW » Mon Feb 11, 2019 5:42 pm

Gm10 & Pierre:

The purpose of my question is trying to find out if having another, <<browsing user>> would afford a meaningful amount of extra protection from prying websites.

We all know that malicious sites want to garner as much info on you as possible, one common example would be your browser's history. Yes, I know that I could just delete it, but then I will loose the ability to find things that I really need, so I would rather not do that. I have never heard of any option that allows one to protect one's browser history (such as storing it in another location with a small programme that would plug it in for the user but be inaccessible to others, for example).

What (if any) would be the effectiveness of setting up a <<browsing user>> that would have little or no history of its own, while an other user's browser history remains intact?

Would scans of the browsing user's history be able to see the other user's history, home directory, etc.? If so, is that preventable?

When you run a browser (again, for example, I am thinking of other programmes too) under two different users, are you running two different, independent and unrelated instances of that programme, or is each user's particulars plugged in and out of a common (running) core as you switch users?

Yes, I agree that root is the way to go when you have a lot of tasks to be done at that level. Here I am not concerned with someone physically accessing the machine, but about remote, on-line stuff via sneaky websites (etc.).

Does the

Code: Select all

sudo chmod 700 ~
command need to be done while being a particular user or does it work for all users, across the board?

Could/would moving the browser user's <<home>> directory to an unusual location (if possible) do anything to obfuscate its presence and information?

I seem to remember, but am not really sure, of reading someplace that <<sudo>>(etc.) is not executable via a remote connection. Is that true? If not, could it be made so?

Please forgive me for asking so many questions, and thank you for your time

gm10
Level 15
Level 15
Posts: 5682
Joined: Thu Jun 21, 2018 5:11 pm

Re: Isolation between users

Post by gm10 » Mon Feb 11, 2019 5:54 pm

If you only want to protect your history from other users then see the command I posted. That was meant for the currently logged in user, i.e. you. If you want to apply it to all user's home directories then run:

Code: Select all

sudo chmod 700 /home/*

WHVW
Level 4
Level 4
Posts: 334
Joined: Tue May 19, 2015 4:31 pm

Re: Isolation between users

Post by WHVW » Mon Feb 11, 2019 11:43 pm

gm10:

What I am trying to find out is (if) while browsing as user A. if a website trying to spy on user A's browser could also spy on user B's browser, and, by extension, user B's files and programmes.

Thanks

User avatar
thx-1138
Level 6
Level 6
Posts: 1449
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: Isolation between users

Post by thx-1138 » Tue Feb 12, 2019 3:27 am

...if a website trying to spy on user A's browser could also spy on user B's browser, and, by extension, user B's files and programmes.
No, 'as it is', it can't. Such would make the news actually - the following are very different concepts...
1) Privacy ≠ security.
2) Local user permissions ≠ what a site can or cannot access remotely.

Depending on your browser's settings & configuration,
a (whatever) site can (more or less) access certain parts of your current browser-in-use history,
eg. Bob -> Firefox -> site reads some past browsing history entries of Bob.

Ie. no, it cannot access Alice -> Firefox -> past browsing history entries of Alice 'as it is'.
For that, a very serious exploit would have to be involved. And if such was discovered,
99% it would not care / attempt to just read Alice's his browsing history, but instead do lots more of nasty things.
That's where locally set user profile permissions & isolation might or might not help,
depending on the severity of the alleged exploit in question.

Simply put: no, a (whatever) site doesn't go around in your system reading (whatever) user's (pro-)files.
That's as far regarding...'security'.

Now regarding...'privacy', since both Bob & Alice share the same ip address and not only,
the (whatever) site in question can relatively easily match & identify what's been going on.
And this should answer your question of:
What (if any) would be the effectiveness of setting up a <<browsing user>> that would have little or no history of its own,
while an other user's browser history remains intact?
Relatively minimal, but possibly welcomed.
Bob walks into the bar...tells the story of his life to the barman.
Alice goes to the bar afterwards, barman doesn't know with absolute certainty,
but can come up with a pretty educated guess of what Alice has been going through... :wink:

gm10
Level 15
Level 15
Posts: 5682
Joined: Thu Jun 21, 2018 5:11 pm

Re: Isolation between users

Post by gm10 » Tue Feb 12, 2019 3:34 am

WHVW wrote:
Mon Feb 11, 2019 11:43 pm
What I am trying to find out is (if) while browsing as user A. if a website trying to spy on user A's browser could also spy on user B's browser, and, by extension, user B's files and programmes.
See the good answer above, plus again my response. If you make the other user profile unreadable to you then any local file access exploit ends at your profile.

Another solution is to sandbox your browser by installing e.g. the popular Firejail with its pre-configured profiles, or by using the built-in apparmor by setting up a profile for your browser. Both of those are fairly advanced concepts but may be worth reading into if you want to lock your browser down further.

WHVW
Level 4
Level 4
Posts: 334
Joined: Tue May 19, 2015 4:31 pm

Re: Isolation between users

Post by WHVW » Tue Feb 12, 2019 2:42 pm

gm10, thx-1138:

Thanks. The Firejail looks worth a try.

redlined
Level 5
Level 5
Posts: 829
Joined: Wed Jun 06, 2018 8:12 pm
Location: Mile High, Green State! (Denver, CO;)

Re: Isolation between users SOLVED

Post by redlined » Tue Feb 12, 2019 3:08 pm

worth noting, if going firejail for full system/desktop integration, using firecfg --fix-sound and sudo firecfg then you may find it useful to ensure a good whitelist of your ~/Downloads directory or you may find it very frustrating to download anything (and find where it saved;). although I may have just had issue with this since my ~/Downloads directory is actually a symlink to /mnt/data/Downloads (noting that by default ~/Downloads is really the only persistent whitelisted space, iirc)

For more see:
https://firejail.wordpress.com/documentation-2/
https://firejail.wordpress.com/document ... fox-guide/
(recommend to read back through the comments as well)
LM19.1 Cinnamon 4.0.9, kernel 4.18.0-15 x86_64
HP15 Laptop: 2Ghz Celeron quad core, 1TB 860 Evo SSD, 8GB Timetec RAM

My go to sites, besides this forum:
(start here! - EasyLinuxTips project then go Learn Linux-fu!

Post Reply

Return to “Software & Applications”