[Cryptography] In the latest unexpected ransomware twist ...
Jonathan Thornburg
jthorn4242 at gmail.com
Mon Jun 14 01:16:28 EDT 2021
On Sat, Jun 12, 2021 at 06:53:54AM -0500, Nabil Alsharif wrote:
> There is no reason my email client (or
> anything other than my ssh client) should have access to my ssh keys
> unless I explicitly authorize that access.
OpenBSD's /unveil/ syscall (supported in all releases since spring 2018)
can be used to do this. This syscall allows a process to state that
henceforth it should only have access to a restricted subset of the
filesystem, and then to "lock" that subset so that it can't be increased
for the remainder of the life of the process. The OpenBSD ports of
firefox, chrome, et al, call this in their startup code, setting things
up so that (among other restrictions) they can't access any of the
home-directories filesystem except for a single designated directory
(typically ~/Downloads).
I don't know what other Unix flavors have similar facilities.
--
-- "Jonathan Thornburg [remove -animal to reply]" <jthorn4242 at gmail-zebra.com>
Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
currently on the west coast of Canada
"To report on BitCoin without mentioning the drug dealing and child abuse
involved is like a history book describing the booming economies of the
ante-bellum cotton states without mentioning that it was all built on
slavery." -- Phill Hallem-Baker
More information about the cryptography
mailing list