OpenBSD - isolation on Desktop application level

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












Which usable method is preferred as application isolation on OpenBSD?



  • Running GUI apps with different users? Different for the webbrowser, torrent client, PDF viewer, etc.

  • chroot? - https://www.ibm.com/developerworks/community/blogs/karsten/entry/openbsd_chroot?lang=en

  • Or are there other usable methods?

Purpose: If an attacker comes in via the webbrowser, then it shouldn't reach the (personal) files (ex.: pw manager DB file), memory content, it should be limited somehow.







share|improve this question
























    up vote
    0
    down vote

    favorite












    Which usable method is preferred as application isolation on OpenBSD?



    • Running GUI apps with different users? Different for the webbrowser, torrent client, PDF viewer, etc.

    • chroot? - https://www.ibm.com/developerworks/community/blogs/karsten/entry/openbsd_chroot?lang=en

    • Or are there other usable methods?

    Purpose: If an attacker comes in via the webbrowser, then it shouldn't reach the (personal) files (ex.: pw manager DB file), memory content, it should be limited somehow.







    share|improve this question






















      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      Which usable method is preferred as application isolation on OpenBSD?



      • Running GUI apps with different users? Different for the webbrowser, torrent client, PDF viewer, etc.

      • chroot? - https://www.ibm.com/developerworks/community/blogs/karsten/entry/openbsd_chroot?lang=en

      • Or are there other usable methods?

      Purpose: If an attacker comes in via the webbrowser, then it shouldn't reach the (personal) files (ex.: pw manager DB file), memory content, it should be limited somehow.







      share|improve this question












      Which usable method is preferred as application isolation on OpenBSD?



      • Running GUI apps with different users? Different for the webbrowser, torrent client, PDF viewer, etc.

      • chroot? - https://www.ibm.com/developerworks/community/blogs/karsten/entry/openbsd_chroot?lang=en

      • Or are there other usable methods?

      Purpose: If an attacker comes in via the webbrowser, then it shouldn't reach the (personal) files (ex.: pw manager DB file), memory content, it should be limited somehow.









      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 20 '17 at 11:43









      Peter

      6612




      6612




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          1
          down vote













          One could use a different user account to run the web browser (and a different X11 server for that different user, so there's no sharing between your regular account and where the browser is run).



          Another option may be vmm(4) in which case you'd run an OpenBSD virt and run the troublesome applications therein. Graphics accelerated or otherwise might be tricky (no idea here, none of my CPUs are new enough to use vmm(4))



          Some applications are pledged (read pledge(2)), which may limit their access to resources. Others are hopelessly not pledged, so that's no help. (Compare chrome vs. olden versions of firefox.)






          share|improve this answer




















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f405750%2fopenbsd-isolation-on-desktop-application-level%23new-answer', 'question_page');

            );

            Post as a guest






























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            1
            down vote













            One could use a different user account to run the web browser (and a different X11 server for that different user, so there's no sharing between your regular account and where the browser is run).



            Another option may be vmm(4) in which case you'd run an OpenBSD virt and run the troublesome applications therein. Graphics accelerated or otherwise might be tricky (no idea here, none of my CPUs are new enough to use vmm(4))



            Some applications are pledged (read pledge(2)), which may limit their access to resources. Others are hopelessly not pledged, so that's no help. (Compare chrome vs. olden versions of firefox.)






            share|improve this answer
























              up vote
              1
              down vote













              One could use a different user account to run the web browser (and a different X11 server for that different user, so there's no sharing between your regular account and where the browser is run).



              Another option may be vmm(4) in which case you'd run an OpenBSD virt and run the troublesome applications therein. Graphics accelerated or otherwise might be tricky (no idea here, none of my CPUs are new enough to use vmm(4))



              Some applications are pledged (read pledge(2)), which may limit their access to resources. Others are hopelessly not pledged, so that's no help. (Compare chrome vs. olden versions of firefox.)






              share|improve this answer






















                up vote
                1
                down vote










                up vote
                1
                down vote









                One could use a different user account to run the web browser (and a different X11 server for that different user, so there's no sharing between your regular account and where the browser is run).



                Another option may be vmm(4) in which case you'd run an OpenBSD virt and run the troublesome applications therein. Graphics accelerated or otherwise might be tricky (no idea here, none of my CPUs are new enough to use vmm(4))



                Some applications are pledged (read pledge(2)), which may limit their access to resources. Others are hopelessly not pledged, so that's no help. (Compare chrome vs. olden versions of firefox.)






                share|improve this answer












                One could use a different user account to run the web browser (and a different X11 server for that different user, so there's no sharing between your regular account and where the browser is run).



                Another option may be vmm(4) in which case you'd run an OpenBSD virt and run the troublesome applications therein. Graphics accelerated or otherwise might be tricky (no idea here, none of my CPUs are new enough to use vmm(4))



                Some applications are pledged (read pledge(2)), which may limit their access to resources. Others are hopelessly not pledged, so that's no help. (Compare chrome vs. olden versions of firefox.)







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 20 '17 at 15:53









                thrig

                22.6k12853




                22.6k12853



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f405750%2fopenbsd-isolation-on-desktop-application-level%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?