Secure wallet.dat on linux, best practice?

[jago25_98]

 
 A lot of people give their browser and it's fully unvetted extensions access to their wallet by running their browser as the same user as their bitcoin wallet. Seeing as the NSA have poked a hole in Firefox and arrested people with it we can rest assured that this is not a far fetched attack.
 If you're running linux it makes sense to at least make use of the security features it offers. The question is, what is the best setup for this?

- Is it best to run your browser as a different user to your X session and bitcoin wallet?

Code:

[user2@localhost ~]$ cat .profile 
# allow user1 (gamer, untrusted stuff)  to display apps on this X server
# (don't do that for local non-X and any remote connections)
if [ -n "$DISPLAY" -a -z "$SSH_CLIENT" ]; then
    xhost +si:localuser:user1
fi
[root@localhost ~]# cat /etc/sudoers.d/chrome-as-user2
user1 ALL = (user2) NOPASSWD: /usr/bin/google-chrome
[root@localhost ~]#

Code:

sudo -u user2 /usr/bin/google-chrome
sandbox -t sandbox_web_t -i /home/j/.mozilla -X firefox

 - Sandbox prevents copy and paste... so that's pretty useless. If you run your browser as a different user then you then need everything else running as that user because if you download to your home directory you then need the filemanager to be able to read that directory. It then becomes really tiresome changing everything else over.

 - So... perhaps it's better to run your bitcoin wallet as a separate user and keep everything else as before? Then have a shortcut on your desktop to run bitcoin as that other user. You can then interact and backup by copy and paste... but you don't have access to ~/.bitcoin (or ~/.electrum)

Code:

(copy wallet.dat to user2 dir and chown to user2:user2)
[root@localhost ~]# cat /etc/sudoers.d/electrum-as-user2
user1 ALL = (user2) NOPASSWD: /usr/bin/electrum
[root@localhost ~]#

Code:

sudo -u user2 /usr/bin/electrum

 But hang on...
the chances are that your current user has sudo capability to root... and it's also common thanks to Ubuntu to have the same password for logon as to sudo...
 so how do we change that? I mean, what's the better setup for su/sudo regards that? Am I on the right track here? How do you have it setup?

[1714855330]

1714855330

[empoweoqwj]

Keep most of your bitcoins in a computer never connected to the Internet

[Abdussamad]

I suppose you could have your seeded Electrum wallet under a different user than the one you use for web browsing. The wallet file would then be under /home/different_user/.electrum/wallets/default_wallet. Then you could install a watch only wallet under your normal user.

Of course just moving your existing wallet file is not good enough. You have to send the coins to the new wallet under different_user.

[jago25_98]

Ok.  Seems like thing to do then is :

-new user2,  seed new wallet,  send coins to that wallet, back it up. Add password less ability to run that wallet software from user3 with the sudoers file example I showed in 1st post
-new user3 for browsing and desktop. Login as this user graphically. No sudo capability for this account
-keep original user1 for sudo to root only. Access it via ctrl+alt+f2 or just login as root

This would be in addition to majority of coins in a paper wallet which you'll need a Webcam or phone wallet to access, not to mention physical access to the age they're stored in.

Hope this helps. This should all be setup out of the box or just apt-get'able