OpenBSD - isolation on Desktop application level
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
Which usable method is preferred as application isolation on OpenBSD?
- Running GUI apps with different users? Different for the webbrowser, torrent client, PDF viewer, etc.
- chroot? - https://www.ibm.com/developerworks/community/blogs/karsten/entry/openbsd_chroot?lang=en
- Or are there other usable methods?
Purpose: If an attacker comes in via the webbrowser, then it shouldn't reach the (personal) files (ex.: pw manager DB file), memory content, it should be limited somehow.
desktop openbsd privileges
add a comment |Â
up vote
0
down vote
favorite
Which usable method is preferred as application isolation on OpenBSD?
- Running GUI apps with different users? Different for the webbrowser, torrent client, PDF viewer, etc.
- chroot? - https://www.ibm.com/developerworks/community/blogs/karsten/entry/openbsd_chroot?lang=en
- Or are there other usable methods?
Purpose: If an attacker comes in via the webbrowser, then it shouldn't reach the (personal) files (ex.: pw manager DB file), memory content, it should be limited somehow.
desktop openbsd privileges
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Which usable method is preferred as application isolation on OpenBSD?
- Running GUI apps with different users? Different for the webbrowser, torrent client, PDF viewer, etc.
- chroot? - https://www.ibm.com/developerworks/community/blogs/karsten/entry/openbsd_chroot?lang=en
- Or are there other usable methods?
Purpose: If an attacker comes in via the webbrowser, then it shouldn't reach the (personal) files (ex.: pw manager DB file), memory content, it should be limited somehow.
desktop openbsd privileges
Which usable method is preferred as application isolation on OpenBSD?
- Running GUI apps with different users? Different for the webbrowser, torrent client, PDF viewer, etc.
- chroot? - https://www.ibm.com/developerworks/community/blogs/karsten/entry/openbsd_chroot?lang=en
- Or are there other usable methods?
Purpose: If an attacker comes in via the webbrowser, then it shouldn't reach the (personal) files (ex.: pw manager DB file), memory content, it should be limited somehow.
desktop openbsd privileges
asked Nov 20 '17 at 11:43
Peter
6612
6612
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
1
down vote
One could use a different user account to run the web browser (and a different X11 server for that different user, so there's no sharing between your regular account and where the browser is run).
Another option may be vmm(4)
in which case you'd run an OpenBSD virt and run the troublesome applications therein. Graphics accelerated or otherwise might be tricky (no idea here, none of my CPUs are new enough to use vmm(4)
)
Some applications are pledged (read pledge(2)
), which may limit their access to resources. Others are hopelessly not pledged, so that's no help. (Compare chrome vs. olden versions of firefox.)
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
One could use a different user account to run the web browser (and a different X11 server for that different user, so there's no sharing between your regular account and where the browser is run).
Another option may be vmm(4)
in which case you'd run an OpenBSD virt and run the troublesome applications therein. Graphics accelerated or otherwise might be tricky (no idea here, none of my CPUs are new enough to use vmm(4)
)
Some applications are pledged (read pledge(2)
), which may limit their access to resources. Others are hopelessly not pledged, so that's no help. (Compare chrome vs. olden versions of firefox.)
add a comment |Â
up vote
1
down vote
One could use a different user account to run the web browser (and a different X11 server for that different user, so there's no sharing between your regular account and where the browser is run).
Another option may be vmm(4)
in which case you'd run an OpenBSD virt and run the troublesome applications therein. Graphics accelerated or otherwise might be tricky (no idea here, none of my CPUs are new enough to use vmm(4)
)
Some applications are pledged (read pledge(2)
), which may limit their access to resources. Others are hopelessly not pledged, so that's no help. (Compare chrome vs. olden versions of firefox.)
add a comment |Â
up vote
1
down vote
up vote
1
down vote
One could use a different user account to run the web browser (and a different X11 server for that different user, so there's no sharing between your regular account and where the browser is run).
Another option may be vmm(4)
in which case you'd run an OpenBSD virt and run the troublesome applications therein. Graphics accelerated or otherwise might be tricky (no idea here, none of my CPUs are new enough to use vmm(4)
)
Some applications are pledged (read pledge(2)
), which may limit their access to resources. Others are hopelessly not pledged, so that's no help. (Compare chrome vs. olden versions of firefox.)
One could use a different user account to run the web browser (and a different X11 server for that different user, so there's no sharing between your regular account and where the browser is run).
Another option may be vmm(4)
in which case you'd run an OpenBSD virt and run the troublesome applications therein. Graphics accelerated or otherwise might be tricky (no idea here, none of my CPUs are new enough to use vmm(4)
)
Some applications are pledged (read pledge(2)
), which may limit their access to resources. Others are hopelessly not pledged, so that's no help. (Compare chrome vs. olden versions of firefox.)
answered Nov 20 '17 at 15:53
thrig
22.6k12853
22.6k12853
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f405750%2fopenbsd-isolation-on-desktop-application-level%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password