A lot of people give their browser and it's fully unvetted extensions access to their wallet by running their browser as the same user as their bitcoin wallet. Seeing as the NSA have poked a hole in Firefox and arrested people with it we can rest assured that this is not a far fetched attack.
If you're running linux it makes sense to at least make use of the security features it offers. The question is, what is the best setup for this?
- Is it best to run your browser as a different user to your X session and bitcoin wallet?
[user2@localhost ~]$ cat .profile
# allow user1 (gamer, untrusted stuff) to display apps on this X server
# (don't do that for local non-X and any remote connections)
if [ -n "$DISPLAY" -a -z "$SSH_CLIENT" ]; then
xhost +si:localuser:user1
fi
[root@localhost ~]# cat /etc/sudoers.d/chrome-as-user2
user1 ALL = (user2) NOPASSWD: /usr/bin/google-chrome
[root@localhost ~]#
sudo -u user2 /usr/bin/google-chrome
sandbox -t sandbox_web_t -i /home/j/.mozilla -X firefox
- Sandbox prevents copy and paste... so that's pretty useless. If you run your browser as a different user then you then need everything else running as that user because if you download to your home directory you then need the filemanager to be able to read that directory. It then becomes really tiresome changing everything else over.
- So... perhaps it's better to run your bitcoin wallet as a separate user and keep everything else as before? Then have a shortcut on your desktop to run bitcoin as that other user. You can then interact and backup by copy and paste... but you don't have access to ~/.bitcoin (or ~/.electrum)
(copy wallet.dat to user2 dir and chown to user2:user2)
[root@localhost ~]# cat /etc/sudoers.d/electrum-as-user2
user1 ALL = (user2) NOPASSWD: /usr/bin/electrum
[root@localhost ~]#
sudo -u user2 /usr/bin/electrum
But hang on...
the chances are that your current user has sudo capability to root... and it's also common thanks to Ubuntu to have the same password for logon as to sudo...
so how do we change that? I mean, what's the better setup for su/sudo regards that? Am I on the right track here? How do you have it setup?