On 20/06/07, Matthew Macdonald-Wallace <[EMAIL PROTECTED]> wrote: > > In principle though yes, it would be nice if each app that faces an > > untrusted network was in their own separate user space or jail. > > OK then, why not something like this: > > 1) App is installed into it's own Jail > 2) A link is setup from given directories in each app's jail to > /downloads which is read only. > 3) Any documents downloaded are saved to the dir in the jail, but can > be access by any user via /downloads and copied from there to a home > dir. > 4) a cron job runs once a day and cleans out any files that are still > in /downloads for security purposes. >
Each application would still need access to system libraries, etc though and so would still be a security risk to some extent. You could look at SELinux, used by Fedora, which AFAIK uses policies to restrict what an application can do and where it can write to. -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
