cel's hyperboria site

hype-only browsing

An approach to restricting browsing to Hyperboria

Create a new user for Hyperboria-only use

sudo useradd hypeonly -r -d /code/lib/hypeonly

Give the new user access to your regular user's X sessions. This could be done using xauth(1), but if your file system supports it, using ACLs should be easier:

setfacl -m u:hypeonly:r ~/.Xauthority

Enable switching to the hypeonly user without a password

sudo -s
cat <<EOF >/etc/sudoers.d/hypeonly
cel ALL=(hypeonly) NOPASSWD: ALL
EOF

Run the following firewall commands and add them to /etc/rc.local or somewhere so that they run on boot. These commands make it so that network activity of the hypeonly user is restricted to the interfaces tun0 for cjdns and lo for localhost.

Note that if you are using cjdns ipTunnel, clearnet traffic may still pass through. A proper way to do this would limit traffic to fc::/8, but I could not get that to work. Let me know if you know how to do that.

/sbin/iptables -A OUTPUT -m owner --uid-owner hypeonly -o lo -j ACCEPT
/sbin/iptables -A OUTPUT -m owner --uid-owner hypeonly -j REJECT --reject-with icmp-net-unreachable

/sbin/ip6tables -A OUTPUT -m owner --uid-owner hypeonly -o lo -j ACCEPT
/sbin/ip6tables -A OUTPUT -m owner --uid-owner hypeonly -o tun0 -j ACCEPT
/sbin/ip6tables -A OUTPUT -m owner --uid-owner hypeonly -o tun0 -- REJECT --reject-with adm-prohibited

If you make a mistake with the firewall commands and want to start over, the following commands will clear the OUTPUT chain and remove the above rules (and any other rules you may have added, so beware):

/sbin/ip6tables -F OUTPUT
/sbin/iptables -F OUTPUT

If you use the web browser surf, here is a script you can use to activate surf as the hypeonly user:

cat <<EOF >/usr/local/bin/hype-surf
#!/bin/sh
exec sudo -u hypeonly surf $@
EOF
chmod +x /usr/local/bin/hype-surf 

You may want to be able to tell apart hype-surf windows from regular surf windows. The following adds a stylesheet to put a Hyperboria indicator icon in the top right corner of every surf window run by the hypeonly user.

This stylesheet presupposes that you have a local web server hosting the image. Here is an image you can use for that purpose: Hyperboria icon

sudo -u hypeonly -i
mkdir -p .surf/styles
cat <<EOF >.surf/styles/default.css
head {
	display: block;
	width: 16px;
	height: 16px;
	background: url(http://localhost/images/hyperboria-16a.png) no-repeat 0 0;
	position: fixed;
	opacity: 1;
	top: 4px;
	right: 4px;
}
EOF

Other considerations

Last updated


Comments