[lug] Firefox chroot

Hugh Brown hugh at math.byu.edu
Mon Feb 26 06:23:44 MST 2007

Daniel Webb wrote:
> After reading about so many Firefox exploits, it occurred to me that it is
> probably the most insecure thing I use by far.  I created a little Debian Etch
> install with debootstrap and only installed locales and firefox.  Does it make
> a bit of difference?  Mainly, I'd like to keep an attacker from being able to
> view or delete the contents of my home directories.
> I'm especially thinking about the X connection which Firefox obviously has to
> have.  If an application doesn't have focus from the window manager, can it
> still see the keystrokes going through the X server (Xvnc in my case)?  In
> other words, if Firefox can see everything I'm typing even if I'm in a xterm
> in a different window, there probably isn't much point in what I'm doing.  The
> window manager is not running in the chroot jail, it's running on the main
> system, of course.  I'm currently just using TCP/IP for the X connection (I
> assume), is a socket connection faster?  I also assume I can just hardlink the
> appropriate /tmp/.X11-unix socket, but I'm not really sure and haven't tried
> yet since it's working.

Another approach is to run Firefox with the NoScript extension.  It 
disables all javascript/flash.


More information about the LUG mailing list