I like to put applications where:
1. They are self contained
2. They don't need to interact much with other applications
3. I don't need to use them outside of the spot directory
within the spot directory. I figure that this somehow isolates them from more critical files. At least it should if I remember to run everything within spot as spot. Regarding applications that meet 1, I realize that while this protects my files that are outside of spot, it doesn't stop applications within spot from messing with each other.
I then thought well, how can I sand box them from each other. I did a quick google search and found both Change_root and systemd-nspawn.
https://wiki.archlinux.org/index.php/Ch ... rch-chroot
However, someone at the following links:
http://askubuntu.com/questions/292925/h ... plications
says that it is easy to break out of the Change_root environment, so perhaps there isn't much point of doing this. Yet, if I run Change_root as spot, presuming that is allowed, then if they can break out they will only have the privileges of spot and not root right? So this would make a malicious application have to be able to escalate privileges twice right?
Change_root and systemd-nspawn as Sandbox's
I was reading this wikipedia article:
http://en.wikipedia.org/wiki/Chroot
And it sounds like, what you are supposed to do is first do a Chroot, and then change privileges to a user with lower privileges.
I was thinking today that I can write startup scripts to do this and access them from the puppy menu.
Edit I tried to do this on precise but it didn't seem to work (See thread).
http://en.wikipedia.org/wiki/Chroot
And it sounds like, what you are supposed to do is first do a Chroot, and then change privileges to a user with lower privileges.
I was thinking today that I can write startup scripts to do this and access them from the puppy menu.
Edit I tried to do this on precise but it didn't seem to work (See thread).