I don't know whether this is a good idea, a bad idea, or worth the trouble, but I've used sudo to make a poor-man's sandbox in the past, like this:
http://reiisi.blogspot.jp/2011/08/simple-sandbox-for-firefox.html Trying this on openbsd seems to work: ------------------------------- # Added a new login class: vi /etc/login.conf ... hexed:\ :auth=reject:\ :shell=/sbin/nologin:\ :datasize-cur=512M:\ :datasize-max=1024M:\ :maxproc-max=128:\ :maxproc-cur=64:\ :requirehome@:\ :tc=default: ... mkdir /home/x/hexed-me groupadd -g 7734 hexed-me useradd -b /home/x -g hexed-me -u 7734 -L hexed hexed-me chown hexed-me:hexed-me /home/x/hexed-me # Changed the default shell for hexed-me: vipw ... hexed-me:*:7734:7734::/home/x/hexed-me:/sbin/nologin ... usermod -G hexed-me me chmod -R o-rwx,g+rwx /home/x/hexed-me # Added the following to /etc/sudoers # (actually, to /etc/sudoers.d/hexed-me, via #includedir): visudo ... User_Alias HEXEDMEDOER = me Runas_Alias HEXEDMEHEXED = hexed-me Defaults:HEXEDMEDOER !authenticate, always_set_home, set_logname, !preserve_groups HEXEDMEDOER ALL = (HEXEDMEHEXED) ALL ... # (Had to chmod 550 /etc/sudoers.d and chmod 440 /etc/sudoers.d/hexed-me .) # Didn't need to make this script: vi bin/firehex === #! /bin/sh xhost local:${1}; sudo -u ${1} firefox $2 === ------------------------------- It seems to run firefox just fine: sudo -H -u hexed-me firefox but gedit doesn't change to hexed-me's home directory run the same way. I would appreciate any critiques or out-right criticisms of this. Is it worth the trouble? Does it perhaps open up new vulnerabilities instead? -- Joel Rees Be careful when you look at conspiracy. Look first in your own heart, and ask yourself if you are not your own worst enemy. Arm yourself with knowledge of yourself, as well.
