Second take on the problem of defending against the Evil Internets.

Last time I took some notes about how to use the sandbox(1) command to put Firefox in a security jail. With the following script I'm refining the technique further.

A temporary directory is created and populated with a healthy Firefox configuration, based on pyllyukko's user.js.

The script relies on the fact that a clone of the user.js repository exists in $PATH_TO_USER_JS . On my system such path is updated daily by means of a cronjob.

Once the sandboxed Firefox process is dead, the script removes recursively the temporary directories by means of the trap shell built-in.

#!/bin/sh set -xe tempdir="$(mktemp -d /tmp/browser-XXXXX)" trap "rm -rvf '$tempdir'" EXIT # -- Profile creation -- profile_name=$(printf '%0.8s.sandboxed' "$(date +%s | md5sum)") profile_dir="$tempdir/.mozilla/firefox/$profile_name" mkdir -p "$profile_dir" cat >"$tempdir/.mozilla/firefox/profiles.ini" <<EOF [Profile0] Name=sandboxed IsRelative=1 Path=$profile_name [General] StartWithLastProfile=1 Version=2 [Install11457493C5A56847] Default=$profile_name Locked=1 EOF cp "$PATH_TO_USER_JS/user.js/user.js" "$profile_dir" sandbox \ -M -T "$tempdir" -H "$tempdir" \ -X -w 1600x900 \ -t sandbox_web_t \ firefox \ "$@"

It is of course possible to blend in some useful Firefox extensions (like NoScript or HTTPS Everywhere) by installing the corresponding xpi files under the $profile_dir/extensions directory.

In my case they are not needed, as they're enabled system-wide.

As for Ad Blocking I'm currently relying on DNS-level filtering by means of the (still experimental) myofb toolkit.