runas
is a tool that executes commands as other users. It sets up xauth and some environmental variables so that X applications (currently I am running gaim and firefox through runas) work.
Why?
The rationale is similar to Vista's reduced privilege mode for IE7. If a remote vulnerability is exploited in an application the damage is limited (unless other local exploits are used to gain root privileges).
Although their goals are similar, runas
was not inspired by the so-called "Low-Rights IE". I first had the idea and initial implementation (which never worked) some time in 2005, before such a mode was announced for IE7. Obviously numerous daemons before that also implemented their own privilege dropping. Unlike those mechanisms, runas
enables privilege dropping for arbitrary programs that did not have the feature built in.
Usage
Extract the tarball, make && make install, then copy runas.conf to /etc and modify for your environment. runas
does not create the users and groups listed in runas.conf, so you will need to create them yourself:
sudo adduser --disabled-login webbrowser
If you want to keep your existing profiles for firefox where they are, some extra steps are needed:
sudo chgrp -R webbrowser .mozilla
# make files g+rwx where appropriate
for f in `find .mozilla`; do if [ -x $f ]; then sudo chmod g+x $f; fi; done
for f in `find .mozilla`; do if [ -w $f ]; then sudo chmod g+w $f; fi; done
for f in `find .mozilla`; do if [ -r $f ]; then sudo chmod g+r $f; fi; done
You also need to change your default browser to runas /usr/bin/firefox %s
if you want links from other applications to work correctly. If you use GNOME, this can be done in gnome-default-applications-properties.
In addition to that, I also created a ~/Desktop/Downloads directory under my normal user and marked it group webbrowser and group writable. I changed my firefox download directory to that so I can grab the files I downloaded easily.
I've only tested runas
under Linux (Ubuntu Edgy), although it will probably work in other unix environments assuming that glib and the development headers are installed.
How secure is this?
Since runas
is a setuid binary, Very Bad Things can happen if something goes wrong. Just keep in mind that runas
comes with no warranty :-)
runas
also does not prevent exploits like the recent Nvidia driver exploit that directly target the X server/drivers.
runas.conf
should only list commands using absolute path.
runas
is also not suited for environments where there are more than one real user, because the configuration is global. This may change in a later version.