Sandboxing

[Luke Crawford]

On Thu, 9 Nov 2006, mal content wrote:
> On 09/11/06, Luke Crawford <lsc at prgmr.com> wrote:

>> man jail(8)

> A full jail is quite extreme, don't you think? Besides, it'd be tricky to 
> allow
> a jailed program to write to ~/.mozilla and /tmp.

Not really.  well, it would be difficult to let it write to both 
~/.mozilla and /tmp unless your homedir is under /tmp,  what I would do is 
run mozilla under ~/mozilla and use that as the jail chroot.  give it an 
internal IP and connect via X over IP if you want... or figure out how to 
put the named pipe unter ~/.mozilla (I'm not going to look it up for you, 
but there is a way...  your jail system can't write outside the jail, but 
your non-jail system can write into the jail, so you might even be able 
to do it with a simple symlink.)

jail is the best sandbox FreeBSD has;  if that's to heavy, simply run it 
setuid to another user that doesn't have permission to anything- it's not 
as good of a sandbox, but it's lightweight.