s at ssimo.org
Fri Jun 28 13:20:07 UTC 2013
On 06/28/2013 07:02 AM, Werner Koch wrote:
> On Fri, 28 Jun 2013 12:06, mjr at phonecoop.coop said:
>> I'd love it if we shared good practice and encourage people to install
>> things like noscript.net.
> The problem with noscript is that you need to add temporary exceptions
> way to often. It is a good tool, nevertheless.
> But better also run your browser under a different account and a second
> X server or with Xephyr. Coping and pasting lacks quite some comfort
> then but that is the price to be a little bit safer.
has already won, but it is not all for the worst.
Major browser have good sandboxing technology and their security is
improved every day.
However should you not trust your browser and/or some website you want
to visit, then you can run OS level sandoboxing. I do it this way:
sandbox -i $HOME/.mozilla/extensions -i $HOME/.mozilla/plugins -i
$HOME/.mozilla/firefox/profiles.ini -w 1024x900 -t sandbox_web_t -M -X
/usr/bin/firefox -P sandbox $*
It requires at least a basic SeLinux Policy installed and the sandbox
program, but it is really neat in that it completely isolates the
browser and crates a completely new environment for it to run.
The template you start from is copied from the referenced template and
superimposed via name spaceing, and the binary itself is prevented
access to anything in the user's home directory. This also means that
any configuration change is lost on closing it, but that is intentional
as it will erase any change an exploit may attempt to make as well.
Simo Sorce - s at ssimo.org
No good deed goes unpunished - http://ssimo.org/blog
More information about the Discussion