Re: chroot a few apps
Hi, On Sat, Jan 09, 2010 at 10:26:47AM +0100, Vadkan Jozsef wrote: > What kind of chroot should I use, if I want to make a more secured > desktop, running e.g.: ... > or e.g.: I have to open a .doc file, that I don't trust, or a PDF can > contain malicious code :( Chroot only provides limited security and it is not practical for purpose you described. (I mean wrong tool for desktop apps.) Debian is fairly safe as default. If you wish to have security with reasonable efforts with minimal knowledge, I suggest followings: 1. Use stable system with latest security updates and not to do funny configuration such as chroot. You will make system more insecure if it is not done very well. 2. Use alternate user account for somewhat insecure actions for now to limit damages. 3. Do not execute program from insecure source intentionally. 4. Read "Securing Debian Manual" and follow. http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html 5. Run desktop applications under a virtual system such as kvm, virtualbox-ose, ... with freshly copied clean system if you are really paranoid and have to access such insecure documents. I know these are not the best thing for the security but quite practical. Osamu -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: chroot a few apps
On Sat, Jan 09, 2010 at 10:26:47AM +0100, Vadkan Jozsef wrote: > Hi. > > What kind of chroot should I use, if I want to make a more secured > desktop, running e.g.: > > pdf reader > webbrowser > audio player > video player > openoffice > picture viewer > mua > ooo > virtualbox > > e.g.: if theres a javascript vulnerability in google chrome [I haven't > heard a NoScript extension for it :( ] a chroot would be good for > stopping it from doing something bad with the whole system. > > or e.g.: I have to open a .doc file, that I don't trust, or a PDF can > contain malicious code :( > > Any tips/docs/howtos? Don't you want those programs to actually talk with one another? What's the point in a chrooted word processor? You want to do something useful with the documents it generates, right? You want to be able to save attachements from the MUA, right? -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best ICQ# 16849754 || friend -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: chroot a few apps
> On Sat, Jan 09, 2010 at 10:26:47AM +0100, Vadkan Jozsef wrote: > > Hi. > > > > What kind of chroot should I use, if I want to make a more secured > > desktop, running e.g.: > > Take a look at schroot. This utility lets a regular user to run chrooted programs commands (including graphical progams) from outside the chroot and takes care of details such as auto-mounting /proc and /home. http://www.debian-administration.org/articles/566 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: chroot a few apps
On Sat, Jan 09, 2010 at 10:26:47AM +0100, Vadkan Jozsef wrote: > Hi. > > What kind of chroot should I use, if I want to make a more secured > desktop, running e.g.: > > pdf reader > webbrowser > audio player > video player > openoffice > picture viewer > mua > ooo > virtualbox For web browser you can simply use a separate user. E.g. on my machine I run browser with sudo -H -u inet iceweasel. ~$ id inet uid=1001(inet) gid=1001(inet) groups=1001(inet),29(audio) I have no flash installed under my user, but I installed it under inet user. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
chroot a few apps
Hi. What kind of chroot should I use, if I want to make a more secured desktop, running e.g.: pdf reader webbrowser audio player video player openoffice picture viewer mua ooo virtualbox e.g.: if theres a javascript vulnerability in google chrome [I haven't heard a NoScript extension for it :( ] a chroot would be good for stopping it from doing something bad with the whole system. or e.g.: I have to open a .doc file, that I don't trust, or a PDF can contain malicious code :( Any tips/docs/howtos? Thank you! -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
