[ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
Lucy
lucybridges at gmail.com
Wed Jun 20 14:58:58 BST 2007
On 20/06/07, Matthew Macdonald-Wallace <matthew at truthisfreedom.org.uk> wrote:
> > In principle though yes, it would be nice if each app that faces an
> > untrusted network was in their own separate user space or jail.
>
> OK then, why not something like this:
>
> 1) App is installed into it's own Jail
> 2) A link is setup from given directories in each app's jail to
> /downloads which is read only.
> 3) Any documents downloaded are saved to the dir in the jail, but can
> be access by any user via /downloads and copied from there to a home
> dir.
> 4) a cron job runs once a day and cleans out any files that are still
> in /downloads for security purposes.
>
Each application would still need access to system libraries, etc
though and so would still be a security risk to some extent. You could
look at SELinux, used by Fedora, which AFAIK uses policies to restrict
what an application can do and where it can write to.
More information about the ubuntu-uk
mailing list