Re: chroot a few apps

To: Vadkan Jozsef <jozsi.avadkan@gmail.com>
Cc: Debian User Mailing list <debian-user@lists.debian.org>
Subject: Re: chroot a few apps
From: Osamu Aoki <osamu@debian.org>
Date: Mon, 11 Jan 2010 20:52:37 +0900
Message-id: <[🔎] 20100111115237.GB22500@osamu.debian.net>
Mail-followup-to: Vadkan Jozsef <jozsi.avadkan@gmail.com>, Debian User Mailing list <debian-user@lists.debian.org>
In-reply-to: <[🔎] 1263029207.27527.23.camel@ubuntu>
References: <[🔎] 1263029207.27527.23.camel@ubuntu>

Hi,

On Sat, Jan 09, 2010 at 10:26:47AM +0100, Vadkan Jozsef wrote:
> What kind of chroot should I use, if I want to make a more secured
> desktop, running e.g.:
...
> or e.g.: I have to open a .doc file, that I don't trust, or a PDF can
> contain malicious code :(

Chroot only provides limited security and it is not practical for
purpose you described.  (I mean wrong tool for desktop apps.)

Debian is fairly safe as default.

If you wish to have security with reasonable efforts with minimal
knowledge, I suggest followings:

 1. Use stable system with latest security updates and not to do funny
    configuration such as chroot.  You will make system more insecure 
    if it is not done very well.

 2. Use alternate user account for somewhat insecure actions for now
    to limit damages.

 3. Do not execute program from insecure source intentionally.

 4. Read "Securing Debian Manual" and follow.
    http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html

 5. Run desktop applications under a virtual system such as kvm,
    virtualbox-ose, ... with freshly copied clean system if you are
    really paranoid and have to access such insecure documents.

I know these are not the best thing for the security but quite practical. 

Osamu

Reply to:

References:
- chroot a few apps
  - From: Vadkan Jozsef <jozsi.avadkan@gmail.com>

Prev by Date: Re: My warning about Lenny
Next by Date: nsswitch.conf/LDAP
Previous by thread: Re: chroot a few apps
Next by thread: How to connect my ipod?
Index(es):
- Date
- Thread