Date: Mon, 29 Aug 2016 15:10:50 +0300 From: Arto Pekkanen <isoa@kapsi.fi> To: Jan Bramkamp <crest@rlwinm.de> Cc: freebsd-x11@freebsd.org, owner-freebsd-x11@freebsd.org Subject: Re: making X secure? Message-ID: <1d9ef92a1920ad1e9aee92d2d56a5349@kapsi.fi> In-Reply-To: <e9faebc3-8e41-f3ce-83b2-2efd58e41e54@rlwinm.de> References: <57C2D94D.7040906@yahoo.com> <e9faebc3-8e41-f3ce-83b2-2efd58e41e54@rlwinm.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Need good documentation on how to make X11-application run inside a jail with a local X11 server. Afaik there's no comprehensive guide for this setup. Jan Bramkamp kirjoitti 29.08.2016 11:51: > On 28/08/16 14:30, Jules Gilbert via freebsd-x11 wrote: >> Is this possible?, can X be made secure?? >> >> I need X for the Mozilla application family. Are those weak from a >> security perspective? >> >> At the moment I'm doing other stuff and (this may be a foolish >> thought...,) would accept a quick fix. Probably a really bad idea, I >> know. But someone who's apparently good at this has hacked several >> releases of FreeBSD and OpenBSD. About OpenBSD, as soon as one adds >> (for me, necessary,) applications, it's not as advertised. >> >> Okay, one more time. Can X be made secure? > > X.org has an enormous attack surface and compromising the X11 server > can allow you to capture all user input (including passwords). You can > run a nested X11 server to reduce the attack surface and gain some > defense in depth. You can also run Firefox and/or Thunderbird in a > jail. The next step would probably be shipping audit records to a > remote system with auditdistd. You can further lock down the jail with > MAC modules if you like to play a few rounds of whack a mole with your > applications. > _______________________________________________ > freebsd-x11@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-x11 > To unsubscribe, send any mail to "freebsd-x11-unsubscribe@freebsd.org" -- Arto Pekkanen
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1d9ef92a1920ad1e9aee92d2d56a5349>