Cdtjkyj

I do this on Scientific Linux 6.3 (to implement it, it requires a minimal Linux knowledge):

Shared directory for downloads

Remember you can only copy from or to this directory, never "move" files to here or move files from here!

adduser ffuser

passwd ffuser # use a very good and very long password

groupadd ffgroup

vi /etc/group # add ffuser and the normal user to the end of the ffgroup line. after editing a users group, you need to re-login with it..

mkdir /home/Downloads; chmod -R 2770 /home/Downloads; ln -s /home/Downloads /home/NORMALUSERHERE/Desktop/Downloads; chown ffuser:ffgroup /home/Downloads/

echo "umask 007" >> /home/ffuser/.bashrc

ssh-copy-id -i /home/NORMALUSERHERE/.ssh/id_rsa.pub '-p PORTNUMBER ffuser@127.0.0.1'

With root

vi /etc/ssh/sshd_config

PasswordAuthentication no

PubkeyAuthentication yes

PermitRootLogin without-password

ListenAddress 127.0.0.1

Port SOMEHIGHPORTNUMBERHERE

Download firefox with this oneliner

URL="https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/latest/linux-x86_64/en-US/"; URLEND=`curl -s $URL | sed 's/"/n/g' | fgrep '.tar' | sort -nr | egrep -v '/a|align|/td' | head -1`; curl "${URL}${URLEND}" > ${URLEND}"

Don't show ffuser/root at login [using GNOME2]

sed -i 's/[greeter]/[greeter]nExclude=ffuser,root/g' /etc/gdm/custom.conf

cat /etc/gdm/custom.conf

Flash

Only use flash if really needed.

yum install flash-plugin

# run this with ffuser

mkdir -p "/home/`whoami`/.firefox/plugins"; ln -s "/usr/lib64/flash-plugin/libflashplayer.so" "/home/`whoami`/.firefox/plugins"

Use these as DEFAULT Firefox add-ons

https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/ # WOT settings -> Searching -> Show only negative ratings # FOR REAL SECURITY don't use this plugin, because it send out url's that you are visiting..

https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/

https://www.eff.org/https-everywhere

https://addons.mozilla.org/en-US/firefox/addon/flashblock/ # if you are using flash.. but don't use it.. don't install flash..

https://addons.mozilla.org/en-US/firefox/addon/cookie-whitelist-with-buttons/

Add-ons for extra security

https://addons.mozilla.org/en-US/firefox/addon/noscript/ # tick the "restrict on trusted sites too" in the "embedded objects" tab

# in 2013.03 convergence didn't worked very well: https sites were slow with it, etc...

http://convergence.io/ # Firefox wouldn't start after installing convergence for the first time, just "kill" Firefox, start it again and then it will be ok :)

about:config

app.update.silent

true



network.http.pipelining

true



network.http.proxy.pipelining

true



network.dns.disableIPv6

true



# only if using Linux/BSD

browser.download.manager.scanWhenDone

false



browser.cache.disk.capacity

262144



browser.cache.offline.capacity

262144



layout.spellcheckDefault

2



browser.sessionstore.max_tabs_undo

2



browser.sessionstore.max_windows_undo

2



plugins.hide_infobar_for_missing_plugin

true



# THESE 5 ARE IMPORTANT FOR SECURITY REASONS

geo.enabled

false



network.http.sendRefererHeader

0



pdfjs.disabled

true



# only if using noscript!

noscript.showPermanent

false



New -> String

general.useragent.override

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0

# just don't use your real user agent..

Disable flash cookies

For privacy, if Flash is installed. Go to:

https://www.youtube.com/

and right click a flash element

Right click -> Global Settings... -> Storage TAB -> Block all sites from storing information on this computer

Camera and Mic TAB -> Block all sites from using the camera and microphone

Playback -> Block all sites from using peer-assisted networking

Other important configs

• Options->Advanced->Network->Offline storage 256 MB


• 
  

  Options->Advanced->General->Accessibility->

  
  
  

  Uncheck Always check to see if Firefox is the default browser on startup
  Uncheck Use smooth scrolling

  
  


• Remove Unused Search Engines!

Check about:plugins. There shouldn't be any plugins.

rm /usr/lib/mozilla/plugins/*

After this, you can start Firefox with:

ssh -p 52317 ffuser@127.0.0.1 -X /home/ffuser/.firefox/firefox-bin > /dev/null 2>&1

Firefox has built-in auto update.

A few usefull websites:

• https://panopticlick.eff.org/


• http://centralops.net/asp/co/BrowserMirror.vbs.asp


• http://samy.pl/evercookie/


• http://whatsmyuseragent.com/

These questions are all related to this one topic (that's why I didn't started several questions):

1. How could this setup be tricked from security side? Are there any tips/tricks to give less permissions to "ffuser"?


2. Firefox still runs after closing it. How to close the Firefox process if there isn't any Firefox windows? (It's not causing any problems, just frustrating)


3. There isn't any sound with "ssh -X" from Firefox. How do fix this?

1. If you can use a VM instead, that would probably be easier to set up and slightly harder to break out of. You're using a RH-derivative, so you should be able to benefit from the SELinux rules they apply to VM software. You could even run a different guest system, e.g. use Fedora to get a distro-packaged firefox, with the theoretical benefit of SELinux rules.




2. Likely dbus. Try running dbus-launch firefox.




3. Do you have pulseaudio? I find ssh -X over a local network can handle sound as well if I enable network pulseaudio using paprefs. (Not sure how well it scales). If privacy of sound is a concern, you'd need to look at this more carefully though.

Using SSH to localhost with X11 forwarding is very inefficient. You can use su or sudo to change the user instead, and then don't need to have every UI update encrypted and decrypted via SSH within the local machine.

If you set your audio permissions appropriately then you will be able to play audio in Firefox, but note that doing this may also allow Firefox to record audio as well (from a microphone or from other applications), so if security is important then you may want to forego audio entirely.

Disabling pdfjs is an odd choice, as this was created to increase security. It runs entirely within the browser so it is no more dangerous than any other web page, however downloading a PDF and viewing it in an external program has historically had many security problems.

As @sourcejedi says, running Firefox inside a VM is a considerably easier option and will give you even more security than you have here, and better performance as well (since you won't be using SSH). You can also snapshot the VM and roll it back if you get compromised, reducing the impact of a malicious site as well.