On 03-04 02:06, [email protected] wrote: > in the following message: > https://marc.info/?l=openbsd-misc&m=158110613210895&w=2 > Theo discourages to use unveil instead of chroot. > I asked if he suggests the same for the browser but he asked that chroot > is onlye for *root*. > Then what should I do to hardening the most exposed piece of code that > we use everyday ? > Now I'm using unveil+chrome...
Partly as a possible approach, and partly for feedback/suggestions on it: Back when I used Debian/Devuan Linux more, I isolated things with multiple user logins and their corresponding X sessions running at the same time, among which I would switch with Ctrl-Alt-F* keys, hoping that if one account (where I did most of the general browsing, etc) was compromised, it would not compromise the other accounts, where I restricted the activites to more trusted binaries or sites. Then, lacking copy/paste between them, I had a single "chmod a+rw ..." text file sitting in /home where different accounts could read/write info. Now, on obsd, I do that sort of thing, but with ssh -X across users in a single X session and a bit of scripted xclip usage where I can, and a systemwide default of umask 0077, and limit my root access to run only from a console -- which you can consider. But I've wondered, if obsd were suited to multiple concurrent X sessions, whether that could be interesting as well to address this common issue. -- Luke Call My thoughts: http://lukecall.net (updated 2020-02-18)
