On Fri, Jan 18, 2008 at 06:25:41PM +1300, Joel Wiramu Pauling wrote: > chroot ;-). >
See the previous threads on this list about the false sense of security with virtualization and chroots in this context. Also see the previous thread for how I'm separating things between "secure", "entertainment" and the access boxes and terminals. Doug. > It is a pity that the is nothing like linux vservers for openbsd as yet ;-) > > On 18/01/2008, Joachim Schipper <[EMAIL PROTECTED]> wrote: > > > > On Thu, Jan 17, 2008 at 06:17:54PM -0500, Douglas A. Tutty wrote: > > > On Thu, Jan 17, 2008 at 05:11:53PM -0500, STeve Andre' wrote: > > > > On Thursday 17 January 2008 03:42:38 pm Douglas A. Tutty wrote: > > > > > I have a box that I want to keep as secure as I can but I also need > > to > > > > > be able to use a graphical browser from it (I know that this is a > > > > > trade-off). > > > > > > > > > > There is no graphical browser in base. I don't need or want this > > > > > browser to do javascript or flash (I have a different box for > > > > > entertainment). Of the browsers in packages, which browser would > > people > > > > > think is likely the most secure? > > > > [snip] > > > > > > > > Why not create an OpenBSD live CD with the stuff you want on it? > > > > > > Because this box will also be my main server. For details, see a > > > previous thread (I forget the title) where I'm splitting things between > > > a "secure" box where anything confidential will be kept, and an > > > "entertainment" box for regular browsing with javascript and, where > > > required, flash. Also for watching DVDs and listening to music. > > > > Have you considered that > > a) you need to be very careful to properly separate these environments? > > (No SSH, no shared passwords, no direct access to 'confidential' data, > > etc.) > > b) the barrier between different users is pretty strong? Outside of some > > annoying symlink race conditions, there is very little mischief one > > account can do to another account that does not require gaining root in > > the first place. And most insecure software, at least on OpenBSD, will > > allow you to crack an account but not root > > c) graphical environments don't really belong on servers? > > > > Anyway, good luck. I can't think of any good suggestion except > > re-iterating what was said above, and noting that w3m can display > > graphics in an xterm. > > > > Joachim > > > > -- > > PotD: x11/gnome/audio - audio files for Gnome
