Re: Sandboxing

看板FB_security作者時間19年前 (2006/11/09 22:14), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串10/13 (看更多)
On Thu, 9 Nov 2006, mal content wrote: > On 09/11/06, Luke Crawford <lsc@prgmr.com> wrote: >> man jail(8) > A full jail is quite extreme, don't you think? Besides, it'd be tricky to > allow > a jailed program to write to ~/.mozilla and /tmp. Not really. well, it would be difficult to let it write to both ~/.mozilla and /tmp unless your homedir is under /tmp, what I would do is run mozilla under ~/mozilla and use that as the jail chroot. give it an internal IP and connect via X over IP if you want... or figure out how to put the named pipe unter ~/.mozilla (I'm not going to look it up for you, but there is a way... your jail system can't write outside the jail, but your non-jail system can write into the jail, so you might even be able to do it with a simple symlink.) jail is the best sandbox FreeBSD has; if that's to heavy, simply run it setuid to another user that doesn't have permission to anything- it's not as good of a sandbox, but it's lightweight. _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
更多 lsc. 的文章
文章代碼(AID): #15KpVO00 (FB_security)
更多 lsc. 的文章
文章代碼(AID): #15KpVO00 (FB_security)