Creating A New User Account For Pidgin

This post will be dedicated to showing you how to run Pidgin in a separate user account. You can apply this to other programs as well. I’ll be adding a bit later for setfacl and allowing for shared files between user accounts.

Why Are We Doing This?

There are three main benefits to running programs in a separate user account.

1) The Linux ACL system is user/group based therefor one user account is largely limited in its interaction with another.

2) The X11 system allows for key passing between all applications in a user group. You can restrict X11 access to specific users so, for a program that doesn’t need X11 access (ie: some service) we can run it in a separate user account and prevent keylogging through X11. Pidgin uses X11/ needs access so it unfortunately will not benefit from this.

3) IPTables can work as a group. While an outbound Firewall may be virtually useless for a typical system if you were to separate each application into its individual group you would essentially create an application firewall, allowing only specific groups to use specific ports. This is far better than the typical outbound Firewall setup that allows all applications to use any outbound port.

Notes

If I use ‘<username>’ I’m talking about your default username. If I use <username.program>’ I’m talking about, in this case, username.pidgin.

If you run your Pidgin as another user and someone links you to something and you click it the browser will open up under that user. There is likely a way around this by using setfacl but I haven’t gotten to that yet.

If someone sends you a file it will be in the other user accounts folder.

There is a distinct hit to your basic user convenience for the benefit of a potentially more secure system. If you are not looking for a hit in convenience I suggest you set up a comprehensive apparmor profile instead.

It’s quite easy to undo everything in this guide. You simply remove the user and use your old shortcut.

Let’s Get Started

The first thing we do is actually create the user. This is simple.

sudo adduser –force-badname <username.pidgin>

It doesn’t have to be username.pidgin it can be just pidgin or it can be ‘koala’ I really don’t actually care what you name it and neither does Linux. It’s purely organizational.

We need to give Pidgin X11 access, it’s a graphic program after all.

sudo xhost +SI:localuser:<username.pidgin>

If you ever want to remove that simply turn the + to a -.

This only gives access until a reboot. Anyone know how to make it permanent? Other than rc.local.

Now we create a shortcut to this new Pidgin. Open gedit and enter the following

[Desktop Entry]
Type=Application
Name=Pidgin
Icon=pidgin
Exec=gksu -u <username.pidgin> pidgin


Save it as pidgin.desktop. Make this file executable and put it somewhere safe. Add it to your launcher.

Now if you click that you’ll be prompted with a safe gksudo prompt for your password. If you don’t like this there’s a simple way around it.

EDITOR=nano visudo

Add the line:

<username> ALL = (<username.pidgin>) NOPASSWD: /usr/bin/pidgin

Now when you launch it there should be no password.

That’s it.

You can now create IPTables rules for this usergroup

iptables -A OUTPUT -m owner --uid-owner <username.pidgin> -j REJECT

And you should recreate your Apparmor profile for Pidgin as well. I highly recommend you still make use of Apparmor.

Allowing For Mutual File Access

I’ll write about setfacl here. I’ll get to it another time. Hopefully this will allow me to (safely) execute Google Chrome in a separate UID.

Removing User Account

To remove a user account just use deluser <username>

Sources:

Most of this comes from (https://grepular.com/Protecting_Your_GNU_Linux_System_from_Dropbox) – great guide for doing this to Dropbox.

6 thoughts on “Creating A New User Account For Pidgin

  1. I like the idea but the only benefit here is, that you can very easily “restrict” pidgin in which ports it is allowed ot use, isn’t it?

    In the Dropbox case you give the dropbox user temporarily access to your X-Server to Install / Setup and after that the access is revoked. But for pidgin or any other X program, you need constant access to the X Server and therefore pidgin.username is still able to read your keystrokes. Also you cannot restrict outgoing traffic completely for obvious reasons.

    I am not trying to sound mean or disrespectful in any way, but I don’t see the point here. Help me out?

    • You’re correct. Once it has access to the X11 server it can log the keys – just tested this. For some reason I’d thought otherwise.

      You restrict pidgin to a separate user account, which would prevent it from reading/writing to certain areas of another user account (except for globally readable areas) and you can also play with IPTables rules. Those would be the benefits for a GUI program as well as a service that doesn’t need internet access. Otherwise it’s a lot more ‘simple’ of a restriction on where it can read/write. For something like, say, DNSCrypt running as a separate user makes more sense – it needs no X11 access. For something like Pidgin it makes some sense as you can restrict some internet traffic but it’s more to separate it further from the system. I think many services ship under separate users by default.

      I use Xchat. It doesn’t seem to get updated/ patched anymore so if I can restrict it/ isolate it in any way it’s best to do so. I don’t really bother for Pidgin as it’s updated consistently and has an apparmor profile defined for it.

      Thanks for the comment. I’ll update the guide to reflect this.

      • Have a lookk at irssi as IRC Client. It’s a bit of a steep learning curve but works quite well and the one huge advantage in my eyes is: it’s console based, so you can run it on every server you want without problems. If you run it in tmux you can just attach to your chat-session again.

        I don’t know if it’s still as grim as it was a few years ago, but this talk here at 26c3: https://www.youtube.com/watch?v=8Q8EFwKVKdA while presenting “theoretical scenarios” was quite .. frightening. (around minutes 8 – 10 or so, but the whole talk is worth it 🙂 )

        My point would be: If someone takes the time and goes the extra mile to hack your XChat or Pidgin, she will certainly not be hindered by some custom firewall rules that prevent the hacked application of using some ports. Even by just sendig messages you could basically write a protocol wrapper for whatever you want and “pipe” it over messages without the user knowing.

        Another user context is often used, yes, i.e. www-data but… and has it’s purposes, but once you can read keystrokes … I mean… would you willingly turn of pidgin and remove the x-access every time you use sudo or log into another machine via ssh? Sounds unrealistic not very practical to me.

        • I agree that having those custom Firewall rules likely would not help except in the case where you’ve removed internet access entirely. The, of course, they can still regain internet access but it would take much more work. If you leave any of the ports for that user open you essentially make it all useless, which is why I don’t bother with outbound rules.

          I’ll check out irssi, thanks.

          I agree that there’s no benefit in terms of keylogging for Pidgin – as you say you’d have to remove the X11 access every time you sudo (I gksudo anyways) but for another program/ service that doesn’t need X11 access it makes sense.

          And for a program that needs no internet access it can certainly make sense.

          And you can further isolate the program from the system ie: Pidgin can no longer read/ write to files not owned to user.pidgin. Naturally you could just use apparmor for this but it doesn’t hurt to do both.

  2. Pingback: Hardening Ubuntu Linux » InsanityBit InsanityBit

Leave a Reply

Your email address will not be published. Required fields are marked *