I'm remastering an Ubuntu based distro, meant to be used live only and primarily as a browser so a users hard-drive can be virus free while online. This live browsing adds security for Linux users, but seconds as a Guardian for Windows and Mac users hardrive. It is a nice invitation for their users to take a look at what the Linux OS has to offer to help protect their chosen OS's. I'm adding an easy grandma tutorial so they can remaster it with all their browser and user space customizations.
Most users will want a password manager to help them sign into their accounts. I'm using Firefox, but the Firefox password manager once opened with the master password will give any requesting service that knows how to make a request unhindered access to all encrypted passwords. Due to this, I've decided to go with a stand alone password manager which will give some permission flexibilities to help deal with those issues. Keepassx has been the main choice.
There is a similar problem, in that, malicious code could access the Keepassx data base because both malicious code and Keepassx would share the same privileges in the online users space.
In order to add more security, I'm considering changing Keypassx permisions so the Keepassx data base is not accessible to the online user, unless the user enters their admin password. This logically would result in making it harder for an attacker to access. Although, I'm new to setting up security environments. Therefore my question…
Is it a good idea and safe to force Keepassx only to be launched as root user on Ubuntu, taking in mind the user will be online with Firefox?