How to restrict which folders webbrowsers can get access to?

[Mike3]

I wanna just have a shared folder somewhere where webbrowsers can pick up files (to attach in emails and the like) and to restrict / forbid access to all other parts of the computer.

I know this is done in Easy OS.

Is it possible to do in Puppy Linux? If so, how?

And also he somehow made it so that apps run isolated, that the browsers all files it saves and everything is in one folder or container. Would it be possible to have some apps run in this kinda container also in puppy? If so, how. I know one puppy with the container system built in was made, but it seems stopped making them.

[williwaw]

user spot is restricted, for maybe the reasons you are looking for?

do you need more of a "jail" for something in particular?

[Mike3]

Yes I need jail for webbrowser, like chrome, forefox and the like. Also I just like security measures.

How restricted is spot? I read this:

"But, you can run, for example, SeaMonkey (browser, Composer, mail&news, IRC-chat suite), as spot. The home directory for spot is /root/spot, and SeaMonkey will only be able to (normally) edit/create/write files inside /root/spot."

But will it be able to read files outside of spot?

How do I set up a browser to run from spot?

Also, will running a browser from spot mean all cookies and cached stuff is saved there?

Also Iread that only seamonkey and didiwiki could be run as spot/ from spot. Apparently the fork fatdog64 can run any browser as spot. I'm not using fatdog, any way I can make this happen in puppy?

[dancytron]

Puppy has more or less the same little "run-as-spot" script as Fatdog.

viewtopic.php?f=159&t=1870

Run "run-as-spot /pathtobrowser" and it should work, the apulse is a work around for no pulse audio.

It will be able to read files outside of the spot directory, but unless you do something to change the directory ownership, it won't write to anywhere but ~/spot.

You might want to search the forum for "chroot", I think that might accomplish what your after if spot isn't enough.

[Mike3]

So to run as spot should I just type: run-as-spot /usr/bin/firefox ?

So is chrooting what was used to have containers in easy OS?

It seems to chroot people ususally use the debootstrap app, but that seems to be creating a debial filesystem or be adapted to debian, will it work with puppy?

And what does one use the schroot app for?

Will chrooting a browser make it so that all the cookies and cashed web stuff is also stored in the chroot environment?

[bigpup]

Most Puppy versions have the menu>System>Login and Security Manager

In it you can select to run web browsers as spot.
This sets up the browser to run as spot.
So, the normal way, to start the browser, now runs it as spot.

[Mike3]

Ok, so I did the menu>System>Login and Security Manager to set it up to run from spot seems to have worked. But now it starts the not hardened original version of firefox, where as before it always started the hardened version I made (not to send data to servers and not to do automatic updates and so on).

Weird, why is this. Do I have to do the hardening again now?

Also I looked a bit at schrooting and as I understand it it basically makes like a copy of the whole filesystem to fool the app it is running in the original or real environment when it is running in a copy and this would then like double the space that is loaded to RAM at startup. Is this so?

And also if I run several apps in chroot will they be able to access each other? Is there a way to have isolation between running apps like Barry K did in easy OS?

I also looked at some descriptions on how to do the chrooting but it was all debian based or based on ubuntu. Will it work to do in Puppy? Has anyone done a 'How to' thing on it?

[williwaw]

Weird, why is this. Do I have to do the hardening again now?
each user has its own browser profile in the users home directory
you could copy /root/.mozilla to /spot/.mozilla (be sure to change the owner to match)
Is there a way to have isolation between running apps like Barry K did in easy OS?
create a new owner for each app

[Mike3]

How do I change the owner when I move .mozilla file to root to match?

How do I create a new owner for each app?

[williwaw]

most distros implement linux as a multiuser system, but puppy is a single user implementation and generally lacks the gui apps for account creation. I would suggest looking for a basic linux command tutorial and look at the adduser command, and for changing owners, the chown command.

if you need help with these commands, many here can offer assistance.

[Mike3]

Thanks a lot for the tip on the adduser & chown command things I will look into ot for sure.

But what owner should I switch to when moving the .mozilla folder from root to spot? Do I have to delete an existing .mozilla file in spot before moving the .mozilla file I have in root there?

[JASpup]

But what owner should I switch to when moving the .mozilla folder from root to spot?

I just did this. You're like an apt-get guy.

You're running as root and you don't have to switch owners.

Do I have to delete an existing .mozilla file in spot before moving the .mozilla file I have in root there?

No

[Mike3]

I was basing my quastion on that milliwaw wrote I need to change owner when moving the file, I will try things out.

[JASpup]

@Mike3 booting into Puppy you are root.

You can switch into user Spot at terminal or run apps as Spot, but at desktop you'll always have access to the full file system as root.

If you copy the firefox config from /root/.mozilla or /root/spot/.mozilla it doesn't make much of a difference either direction. It will overwrite whatever is there with or without a prompt, or you can clear the destination first.

If you want a full desktop limited access user, you can toy around with Fido, but it isn't written about much here as most do not seem to use it.

https://bkhome.org/archive/puppylinux/t ... l/root.htm

[Mike3]

Can I run an app in fido mode, or from fido and still have root access?

How restricted are apps that run in fido? Can they read from root?

Can one move files to fido easily so that apps that run in fido can access them to upload?

How does one set up Fido and apps to have them run in Fido?