On 03-04 02:06, whistlez-ml@riseup.net wrote:
> in the following message:
> https://marc.info/?l=openbsd-misc&m=158110613210895&w=2
> Theo discourages to use unveil instead of chroot.
> I asked if he suggests the same for the browser but he asked that chroot
> is onlye for *root*.
> Then what should I do to hardening the most exposed piece of code that
> we use everyday ?
> Now I'm using unveil+chrome...
Partly as a possible approach, and partly for feedback/suggestions on
it:
Back when I used Debian/Devuan Linux more, I isolated things with
multiple user logins and their corresponding X sessions running
at the same time, among which I would switch with Ctrl-Alt-F* keys,
hoping that if one account (where I did most of the general browsing,
etc) was compromised, it would not compromise the other accounts, where
I restricted the activites to more trusted binaries or sites. Then,
lacking copy/paste between them, I had a single "chmod a+rw ..."
text file sitting in /home where different accounts could read/write info.
Now, on obsd, I do that sort of thing, but with ssh -X across users
in a single X session and a bit of scripted xclip usage where I can,
and a systemwide default of umask 0077, and limit my root access to
run only from a console -- which you can consider.
But I've wondered, if obsd were suited to multiple concurrent X
sessions, whether that could be interesting as well to address
this common issue.
--
Luke Call
My thoughts: http://lukecall.net (updated 2020-02-18)
No comments:
Post a Comment