Quoting dan mclaughlin <thev...@openmailbox.org>:
there seems to be some interest in this, so i thought i would post my notes, made more presentable. here i detail ways to use ssh to restrict access to the filesystem as well as X, mitigating the 'security nightmare' that is X11, not to mention preventing possible leaking of local data. this uses more proven code so may be better than eg virtualization for some things.
This looks interesting but really complicated. As I commented before I use a virtual machine for running Firefox due to security concerns, now with OpenBSD at last. I know that a virtual machine would not resist a targeted attack, but since it would be complicated breaking away from a virtual machine and this is not a common setup I do not think a generic attack/worm/trojan would be able to do any harm.
Also, I'm running Firefox for browsing but since it's common to get PDF files I have installed along a PDF viewer as well. And sometimes I want to print documents so I installed cups (fortunately everything works on OpenBSD as expected, thanks by the way!). Firefox, a PDF viewer and cups have a lot of dependencies, and I have not tried yet to forward sound so my Firefox is soundless. And Firefox alone eats lots of memory, I have reserved for this VM one gigabyte of RAM.
To me that's one of the biggest virtual machines I have, and very likely would make a big jail. If I wanted to do it the OpenBSD way (the one I imagine) I would reserve an old laptop or netbook and put there OpenBSD with Firefox and friends instead of setting up a big and complicated jail.
-- Best regards, Jorge Lopez. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
