Sandboxing
Luke Crawford
lsc at prgmr.com
Thu Nov 9 08:48:43 UTC 2006
On Thu, 9 Nov 2006, mal content wrote:
> On 09/11/06, Luke Crawford <lsc at prgmr.com> wrote:
>> man jail(8)
> A full jail is quite extreme, don't you think? Besides, it'd be tricky to
> allow
> a jailed program to write to ~/.mozilla and /tmp.
Not really. well, it would be difficult to let it write to both
~/.mozilla and /tmp unless your homedir is under /tmp, what I would do is
run mozilla under ~/mozilla and use that as the jail chroot. give it an
internal IP and connect via X over IP if you want... or figure out how to
put the named pipe unter ~/.mozilla (I'm not going to look it up for you,
but there is a way... your jail system can't write outside the jail, but
your non-jail system can write into the jail, so you might even be able
to do it with a simple symlink.)
jail is the best sandbox FreeBSD has; if that's to heavy, simply run it
setuid to another user that doesn't have permission to anything- it's not
as good of a sandbox, but it's lightweight.
More information about the freebsd-security
mailing list