From owner-freebsd-x11@freebsd.org Mon Aug 29 12:10:56 2016 Return-Path: Delivered-To: freebsd-x11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 82E6FBC7ED1; Mon, 29 Aug 2016 12:10:56 +0000 (UTC) (envelope-from isoa@kapsi.fi) Received: from mail.kapsi.fi (mx1.kapsi.fi [IPv6:2001:1bc8:1004::1:25]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47640F22; Mon, 29 Aug 2016 12:10:56 +0000 (UTC) (envelope-from isoa@kapsi.fi) Received: from karviainen.kapsi.fi ([217.30.184.182] helo=roundcube.kapsi.fi) by mail.kapsi.fi with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1beLOs-0000Vz-Gd; Mon, 29 Aug 2016 15:10:51 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Mon, 29 Aug 2016 15:10:50 +0300 From: Arto Pekkanen To: Jan Bramkamp Cc: freebsd-x11@freebsd.org, owner-freebsd-x11@freebsd.org In-Reply-To: References: <57C2D94D.7040906@yahoo.com> Message-ID: <1d9ef92a1920ad1e9aee92d2d56a5349@kapsi.fi> X-Sender: isoa@kapsi.fi User-Agent: RoundCube Webmail/0.9.4 X-SA-Exim-Connect-IP: 217.30.184.182 X-SA-Exim-Mail-From: isoa@kapsi.fi X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail X-Spam-Level: X-Spam-Status: No, score=-4.3 required=5.0 tests=ALL_TRUSTED,BAYES_00, RP_MATCHES_RCVD autolearn=ham version=3.3.2 Subject: Re: making X secure? X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000) X-SA-Exim-Scanned: Yes (on mail.kapsi.fi) X-BeenThere: freebsd-x11@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: X11 on FreeBSD -- maintaining and support List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Aug 2016 12:10:56 -0000 Need good documentation on how to make X11-application run inside a jail with a local X11 server. Afaik there's no comprehensive guide for this setup. Jan Bramkamp kirjoitti 29.08.2016 11:51: > On 28/08/16 14:30, Jules Gilbert via freebsd-x11 wrote: >> Is this possible?, can X be made secure?? >> >> I need X for the Mozilla application family. Are those weak from a >> security perspective? >> >> At the moment I'm doing other stuff and (this may be a foolish >> thought...,) would accept a quick fix. Probably a really bad idea, I >> know. But someone who's apparently good at this has hacked several >> releases of FreeBSD and OpenBSD. About OpenBSD, as soon as one adds >> (for me, necessary,) applications, it's not as advertised. >> >> Okay, one more time. Can X be made secure? > > X.org has an enormous attack surface and compromising the X11 server > can allow you to capture all user input (including passwords). You can > run a nested X11 server to reduce the attack surface and gain some > defense in depth. You can also run Firefox and/or Thunderbird in a > jail. The next step would probably be shipping audit records to a > remote system with auditdistd. You can further lock down the jail with > MAC modules if you like to play a few rounds of whack a mole with your > applications. > _______________________________________________ > freebsd-x11@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-x11 > To unsubscribe, send any mail to "freebsd-x11-unsubscribe@freebsd.org" -- Arto Pekkanen