On Thu, 19 Mar 2015 08:52:09 -0600 Jorge Gabriel Lopez Paramount <jorge.lopez.paramo...@googlemail.com> wrote: > Quoting dan mclaughlin <thev...@openmailbox.org>: > > > there seems to be some interest in this, so i thought i would post my notes, > > made more presentable. > > > > here i detail ways to use ssh to restrict access to the filesystem as well > > as > > X, mitigating the 'security nightmare' that is X11, not to mention > > preventing > > possible leaking of local data. this uses more proven code so may be better > > than eg virtualization for some things. > > This looks interesting but really complicated. As I commented before I > use a virtual machine for running Firefox due to security concerns, > now with OpenBSD at last. I know that a virtual machine would not > resist a targeted attack, but since it would be complicated breaking > away from a virtual machine and this is not a common setup I do not > think a generic attack/worm/trojan would be able to do any harm. > > Also, I'm running Firefox for browsing but since it's common to get > PDF files I have installed along a PDF viewer as well. And sometimes I > want to print documents so I installed cups (fortunately everything > works on OpenBSD as expected, thanks by the way!). Firefox, a PDF > viewer and cups have a lot of dependencies, and I have not tried yet > to forward sound so my Firefox is soundless. And Firefox alone eats > lots of memory, I have reserved for this VM one gigabyte of RAM. > > To me that's one of the biggest virtual machines I have, and very > likely would make a big jail. If I wanted to do it the OpenBSD way > (the one I imagine) I would reserve an old laptop or netbook and put > there OpenBSD with Firefox and friends instead of setting up a big and > complicated jail. > > -- > Best regards, > Jorge Lopez.
you have a point about it being complicated, which is why i said i don't think it would work with firefox. i mention already that i had trouble with a few simpler ports like qiv. and physical separation on its own machine is probably the best practice anyway (i use physical separation for security myself). but there may be cases where one may not be able to dedicate a whole machine to it, and it's something. it depends on one's use case. hence my statement above 'for some things'. firefox isn't in my use case. phsical separation would be more difficult for one of my main use cases, reading pdfs on my desktop. and not everybody always has access to such resources. the intent though was to make it possible to run any code, and also to use openbsd base, as that is a more trusted code base to build upon (ssh -X, chroot). one use is xpdf for instance. (which is only about ~135M of space, a good half of that X11 fonts). some do get bigger, like djview4 which has 70 packages and ~712M space. (i also use it for w3m, since one must be particularly careful with browsers given QUANTUMINSERT and the like.) as to RAM, this wouldn't take hardly any more than is already used. and it is much less complicated with scripts (i already invested time in them so i don't have to invest it later setting them up (and making mistakes)). it's a single command now. i also have scripts that automate starting up/taking down Xephyr and launching the proper account/commands (i just type 'open file' and everything is already done for me.) the beauty of scripts (and unix).
