On 6/15/21 4:33 PM, [email protected] wrote: > If it only needs access to its lock file, > why should I give it access to my ssh keys?
I think that it is worth understanding that you can use file and process permissions, for that. Unveil is an extra layer, because no matter what ssh key you provide to an unveiled app. The developer of that application can decide that I only need access to a particular key provided on the command line and only within certain execution paths. The app design may have a separate process that just handles the key and limited operations by talking via a socket. In a way, accomplishing that which you wanted in the first place. Possibly without you the user, even knowing.
