Ubuntu – Running Programs As Root While Online


I'm remastering an Ubuntu based distro, meant to be used live only and primarily as a browser so a users hard-drive can be virus free while online. This live browsing adds security for Linux users, but seconds as a Guardian for Windows and Mac users hardrive. It is a nice invitation for their users to take a look at what the Linux OS has to offer to help protect their chosen OS's. I'm adding an easy grandma tutorial so they can remaster it with all their browser and user space customizations.

Most users will want a password manager to help them sign into their accounts. I'm using Firefox, but the Firefox password manager once opened with the master password will give any requesting service that knows how to make a request unhindered access to all encrypted passwords. Due to this, I've decided to go with a stand alone password manager which will give some permission flexibilities to help deal with those issues. Keepassx has been the main choice.

There is a similar problem, in that, malicious code could access the Keepassx data base because both malicious code and Keepassx would share the same privileges in the online users space.

In order to add more security, I'm considering changing Keypassx permisions so the Keepassx data base is not accessible to the online user, unless the user enters their admin password. This logically would result in making it harder for an attacker to access. Although, I'm new to setting up security environments. Therefore my question…

Is it a good idea and safe to force Keepassx only to be launched as root user on Ubuntu, taking in mind the user will be online with Firefox?

Best Answer

Well, there are two separate aspects in running an application as root; one of them improves security and another one may compromise it - I think mixing those two aspects explains your confusion.

  • running an application as another user (possibly root user, but not necessary) makes it more difficult for another process to access files owned/created by that application and do other nasty things (send a KILL signal, for example). This is good.

  • if an application happen to have a vulnerability (i.e. sending it some specially formatted input makes it to execute some code via buffer overflow etc.) - then, after exploiting the vulnerability, the attacker will be able to execute code with the privileges of that process. In this sense, running an application with root privileges is BAD, because it would give the highest level of privileges to attacker.

Now you understand that running update manager as root may be bad if it contained a bug which would allow a specially-crafted .deb file to crash it and make it to execute some code. However, running some applications, such as package manager, with superuser privileges is unavoidable because they modify the essential parts of the system.

The common solution to this problem is to perform so-called "privileges drop" on program startup; this is often used to run webservers and other potentially exploitable (and accessible from outside) software. The idea is simple: the program starts as root, but as soon as possible it switches to some user account with as little privileges as possible (no shell login, chroot-ed to its home directory etc.) This way, even if compromised, it would give attacker a very limited access to the system. Also, other user accounts (except the superuser) will have no access to the application's files

I'm not sure how easy would it be to run a desktop application like this though.

Actually, in this situation I think running web browser as a non-privileged user would make more sense. And, of course, Google gives us a few links on the subject:

Taking this idea to the extreme (as you're suggesing in the comments) will give you a system which is similar to how Android works; on Android each application operates within its own user account, so it only have access to its own files. This probably have some problematic areas in Ubuntu, i.e. if you downloaded a file using Firefox running in a restricted account, it'll only be able to save it in its own home folder so it won't be possible to open the file in a text processor (which runs as another user)...

Regarding the launcher script I would imagine the script will be starting as root and invoking the applications as their respective users. The script will obviously need to be writeable by root only. Read about setuid.