Re: Sandboxing
- From: Luke Crawford <lsc@xxxxxxxxx>
- Date: Thu, 9 Nov 2006 00:48:29 -0800 (PST)
On Thu, 9 Nov 2006, mal content wrote:
On 09/11/06, Luke Crawford <lsc@xxxxxxxxx> wrote:
man jail(8)
A full jail is quite extreme, don't you think? Besides, it'd be tricky to allow
a jailed program to write to ~/.mozilla and /tmp.
Not really. well, it would be difficult to let it write to both ~/.mozilla and /tmp unless your homedir is under /tmp, what I would do is run mozilla under ~/mozilla and use that as the jail chroot. give it an internal IP and connect via X over IP if you want... or figure out how to put the named pipe unter ~/.mozilla (I'm not going to look it up for you, but there is a way... your jail system can't write outside the jail, but your non-jail system can write into the jail, so you might even be able to do it with a simple symlink.)
jail is the best sandbox FreeBSD has; if that's to heavy, simply run it setuid to another user that doesn't have permission to anything- it's not as good of a sandbox, but it's lightweight.
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: Sandboxing
- From: mal content
- Re: Sandboxing
- References:
- Sandboxing
- From: mal content
- Re: Sandboxing
- From: mal content
- Re: Sandboxing
- From: Lowell Gilbert
- Re: Sandboxing
- From: Erik Trulsson
- Re: Sandboxing
- From: mal content
- Re: Sandboxing
- From: Luke Crawford
- Re: Sandboxing
- From: mal content
- Sandboxing
- Prev by Date: Re: Sandboxing
- Next by Date: Re: Sandboxing
- Previous by thread: Re: Sandboxing
- Next by thread: Re: Sandboxing
- Index(es):
Relevant Pages
|
|
