Sandboxing Linux

Discussion in 'all things UNIX' started by TerryWood, Dec 27, 2009.

Thread Status:
Not open for further replies.
  1. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Hi

    I am a newbie to Linux currently trying out Puppy Linux via Live CD.

    I want to know whether there is a program that is effectively like Sandboxie that will run on Puppy Linux to protect internet facing applications, just as in Windows?

    Thank you

    Terry
     
  2. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    There is no need for anything like that in Linux.
     
  3. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Well, it's not really necessary for a desktop box, but yes there are numerous ways to do it with linux. I can think of 3 ways off the top of my head:

    Linux (and all Unices) have a built-in utility called chroot. With it you can create a new account and use chroot to sandbox it from the rest of the system.

    Another way is to use a Mandatory Access Control system like SELinux, AppArmor, SMACK, Tomoyo, or Grsecurity. Fedora comes with SELinux enabled and Ubuntu comes with AppArmor. All distros can be made to use one of the above MAC's. With these MAC's you can create an application specific sandbox. That is, you can allow the application to do what it needs to do and nothing else. This means exploits will not work against it because this mandatory policy wont allow it. SELinux also has a feature called "sandbox -x" that will open a new GUI window that cannot interact with the rest of the system. So, for instance, you could use this new window to run an instance of Firefox in, and nothing firefox does can affect anything on the system.

    A third way is to simply use a virtual machine.
     
  4. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    systrace should do the trick. Just remember, nothing is perfect, and do not rely on any security program to be impenetrable and do whatever the heck you want and expect no repercussions. Being smart will do a ton more for you than any other program.

    Cheers,

    Alphalutra1
     
Loading...
Thread Status:
Not open for further replies.