Quoting Lucy <[EMAIL PROTECTED]>: > On 20/06/07, Matthew Macdonald-Wallace <[EMAIL PROTECTED]> wrote: >> > In principle though yes, it would be nice if each app that faces an >> > untrusted network was in their own separate user space or jail. >> >> OK then, why not something like this: >> >> 1) App is installed into it's own Jail >> 2) A link is setup from given directories in each app's jail to >> /downloads which is read only. >> 3) Any documents downloaded are saved to the dir in the jail, but can >> be access by any user via /downloads and copied from there to a home >> dir. >> 4) a cron job runs once a day and cleans out any files that are still >> in /downloads for security purposes. >> > > Each application would still need access to system libraries, etc > though and so would still be a security risk to some extent. You could > look at SELinux, used by Fedora, which AFAIK uses policies to restrict > what an application can do and where it can write to.
Point taken, however I was under the impression that if you run an app in a chroot jail, the libraries are available to it? Again, I could be wrong about this as well! :) M. -- Matthew Macdonald-Wallace Group Co-Ordinator Thanet Linux User Group http://www.thanet.lug.org.uk/ [EMAIL PROTECTED] GPG KEY: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xFEA1BC16 -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/