Re: Sandboxing

From: Patrick Proniewski <patpro@xxxxxxxxxx>
Date: Thu, 9 Nov 2006 09:40:53 +0100

On 9 nov. 06, at 09:17, mal content wrote:

man jail(8)

A full jail is quite extreme, don't you think? Besides, it'd be tricky to allow
a jailed program to write to ~/.mozilla and /tmp.

a full jail is for beginners ;)
You can jail a program with only minimum /dev/ and libs, like it was done with named before FreeBSD choose to chroot by default.
Depending on what you want to jail, it can be more or less complicated. May be MAC and ACL is the way to go for you, I don't know.

patpro

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

References:
- Sandboxing
  - From: mal content
- Re: Sandboxing
  - From: mal content
- Re: Sandboxing
  - From: Lowell Gilbert
- Re: Sandboxing
  - From: Erik Trulsson
- Re: Sandboxing
  - From: mal content
- Re: Sandboxing
  - From: Luke Crawford
- Re: Sandboxing
  - From: mal content

Prev by Date: Re: Sandboxing
Next by Date: Re: Sandboxing
Previous by thread: Re: Sandboxing
Next by thread: Re: Sandboxing
Index(es):
- Date
- Thread

Relevant Pages

Re: Sandboxing
... a jailed program to write to ~/.mozilla and /tmp. ... your jail system can't write outside the jail, but your non-jail system can write into the jail, so you might even be able to do it with a simple symlink.) ... jail is the best sandbox FreeBSD has; if that's to heavy, simply run it setuid to another user that doesn't have permission to anything- it's not as good of a sandbox, but it's lightweight. ...
(FreeBSD-Security)
Re: Pair sent to prison in sordid sex case
... > Getting essentially a life sentence? ... Seems rather extreme to me. ... A few months in jail and a year on probabation would be more ...
(alt.true-crime)