hi all, I want to know that is there any method to set a program permission,for example I don't want to let some programs access /bin or /etc ...
and I dont want to the program to launch other program how to do it without jail.
What exactly are you trying to achieve here? Because on a regular system there shouldn't be any issues with having access to directories such as /bin. Anyway, you could look into chroot(8) which is a relatively easy way to shield programs from the rest of the system. Anything beyond that might be doable using resource limits, see this link: Chapter 14. Security (freebsd.org).
Still, I can't help wonder if you're not trying to fight symptoms here.
actually when firefox or other browser has bug, the hacker will run exploit code to attack your browser and get root by xorg bug. i just want to prevent it from attacking
If you’re really that paranoid, you should actually run your web browser inside a jail or VM (such as bhyve). It requires some work to set up, but you will learn a lot of useful things.
Keep in mind that the program will still need access to certain files in /bin, /etc and other system directories. Just to mention some examples, programs will typically need access to files like /etc/services, /etc/protocols, /etc/localtime and a bunch of others. Normally that shouldn’t pose a problem if you take the usual precautions. Have a look at the security(7) manual page for a start.
The attacks (these are two separate attacks) will simply exploit structures and code that's already running and in memory. Most exploits don't require access to the filesystem.
For the isue to access certain paths, you can set up a filesystem firewall ugidfw(8) and consult the Handbook. But as mentioned by SirDice, that does not prevent the exploits.
There a WIP Capsicum patch for Firefox somewhere in Mozilla's bug tracker. (Mind you, I don't actually want OP to find it — nothing good can come from this, so no link.)
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
