[Linux-disciples] Running the browser as a separate user
Stephen R Laniel
steve at laniels.org
Tue Nov 1 08:40:06 EST 2005
On Wed, Oct 19, 2005 at 05:02:37PM -0400, Adam Rosi-Kessel wrote:
> One problem with this is the "other" (browser) user won't have access to the
> X server. At least, not without opening up permissions on the X server,
> which creates its own security problems. (Unless someone knows a better way).
Reading a little about Xen today,
http://www.eweek.com/print_article2/0,1217,a=163867,00.asp
it occurs to me: could virtualization be used to achieve the
sort of security that my officemate was looking for? To
recap, his question was whether he could run his web browser
as a separate user to minimize the damage from any malicious
web pages.
Suppose that instead of running as a separate user, his web
browser ran inside an entirely separate virtual machine.
Inside that machine, there's only one user -- user
'webbrowser', say -- and very limited resources otherwise.
Does this buy us any extra security?
Is there any way for an app running inside the virtual
machine to break out and get access to the 'outer' machine?
That would, I suppose, be one of the big ways to defeat the
security of a virtual machine ... if it buys us any security
at all, which it may not; I've only recently started to
think about this stuff.
--
Stephen R. Laniel
steve at laniels.org
+(617) 308-5571
http://laniels.org/
PGP key: http://laniels.org/slaniel.key
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.bostoncoop.net/pipermail/linux-disciples/attachments/20051101/fb6b4a6c/attachment.pgp
More information about the Linux-disciples
mailing list