On Tue, Feb 03, 2009 at 06:39:43AM -0800, Nick wrote: > Could someone advise me the best way to constrain an application from > performing unwanted activities? (e.g. if someone in an irc chan was able to > hijack my irssi app to read personal files).
You could try the ppriv(1) command (using -s) and reduce irssi's privileges. > I currently run apps like irssi as a dedicated, unprivileged user. On > OpenBSD, I've used systrace to define am irssi policy permitting only > read/write of the configuration file and network traffic to approved irc > servers. Why use such a buggy app? You'd think that if someone could subvert your IRC client that it would be a bug in said IRC client, no? > I've seen the FGAP project underway (which I believe will give me that > systrace-like functionality) - are there any other ways of constraining the > capabilities of specific applications within opensolaris? If you have irssi source, too, you can have it downgrade its own privileges after reading the config file and establishing any network connections. Subsequent re-establishment of network connections can be privilege-bracketed. Dan
