Thanks for the info and I expected someone to suggest this, but I didn't really want to go all crazy. :) I wanted to know if there was a secure one so I wouldn't have to jump through all these kind of hoops. Thanks anyway.
On Thu, Apr 2, 2015, at 04:17 PM, dan mclaughlin wrote: > On Thu, 2 Apr 2015 11:47:04 -0400 Jiri B <ji...@devio.us> wrote: > > On Thu, Apr 02, 2015 at 12:33:25AM -0400, Eric Furman wrote: > > > I sometimes have to deal with PDF files (ugh) and all > > > I need is the ability to view and print them, nothing > > > fancy. With security in mind I would like to get opinions > > > on the best one to use. > > > Thanks. > > hardly any existing software is written with security in mind, so... > mitigation is the word. and since sometimes even the best coders may > slip up... > > > > > Run it chrooted under non-default (0) routing domain > > and you should be in 99 % fine. > > and running under it's own user as well. > > some of these mitigation techniques and more have been discussed > recently: > https://marc.info/?l=openbsd-misc&m=142703553113760&w=2 > https://marc.info/?l=openbsd-misc&m=142637712203350&w=2 > https://marc.info/?l=openbsd-misc&m=142676615612510&w=2 > > the last thread is my experiments with ssh chroot jailing. if you > decide to go the chroot route, you need to read that. you would > have to do some additional work (eg set up a device) to get a > printer working. there is also some info on using Xephyr. i use > a jailed xpdf myself just as in the examples. > > and instead of routing, i use a pf rule: > > block out log > pass out log quick on $intif proto tcp user { root, browse, 1000 } > pass out log quick on $intif proto udp user { root, browse, 1000 } > > but you could just block the one user: > > block out log quick on $intif proto tcp user pdf > block out log quick on $intif proto udp user pdf > pass out > > at the very least, you want to run it under it's own user, using > 'ssh -X' and Xephyr. > > > > > (I still can't figure out how to make apps in Xephyr > > maximalized without help of a WM.) > > many programs have command line options to control some of this. > eg 'xpdf -fullscreen'. although that doesn't always give me the > interface i want. but 'xpdf -geometry xXy' works too. i have > scripts that syncronize the Xephyr geometry and the app's. > > > > > j. > > > > in sum, a dedicated unpriviledged user, using ssh -X and Xephyr, with > a pf rule (as above), and maybe chroot. about the best you can do for > any program. one of those threads is about systrace, but that might > be more complicated to set up (haven't looked into it too much myself).
