Originally posted by stiiixy
View Post
For system Firefox, I have a script in /home and a shortcut in the Cinnamon panel to fire it up. It makes a tmpfs, copies all of ~/.mozilla to it, mounts it over ~/.mozilla, changes ownership to the user who launched it, then launches Firefox. Systemd is not involved in this, it's just something else I have been playing with lately. The only way you will interact with systemd (or upstart, or sysVinit) is if you want to automatically shut off something like an ssh or other such server so as not to have that as attack surface while using a non-local network. That was important to me when I only went on line by a netbook on the road, then connected it to an offline desktop later to move files. The laptop needed an ssh server, but I wanted that shut off when connected to the Internet on the road.
What would make normal Firefox easier to do all this with would be packaging it in a local directory holding the binary, the .mozilla files, and libraries needed to run it the way Torbrowser does, as a "portable" or "noinstall" package. I think that's how Click packages work. Windows also installs programs this way, the fact that ALL the top level software installs like that is why a Windows install can take up 30GB. That brings up another point: only packages where there is a need for portability or a need to use specific library versions (like development versions of kdenlive) really benefit from this, and there is a space cost. Fortunately, I can easily afford to put a 100MB application folder in /home, which is an encrypted RAID of HDD's. I would not want to put them on the encrypted root volume, which is a tiny SSD.
The point to all this is to run Firefox and Torbrowser from RAM as a disk-avoidance strategy, just as though I had turned my entire system into a live DVD. Nothing better for defeating cookie respawning via other forms of browser data storage than keeping all of it in RAM, and nothing better for preventing a locally-stored history from being available if an attacker manages to somehow defeat my encryption after another house raid. Never put all your trust in a single-layer defense!
Leave a comment: