[Cryptography] In the latest unexpected ransomware twist ...
Viktor Dukhovni
cryptography at dukhovni.org
Mon Jun 14 01:58:10 EDT 2021
On Sun, Jun 13, 2021 at 10:16:28PM -0700, Jonathan Thornburg wrote:
> The OpenBSD ports of firefox, chrome, et al, call this in their
> startup code, setting things up so that (among other restrictions)
> they can't access any of the home-directories filesystem except for a
> single designated directory (typically ~/Downloads).
>
> I don't know what other Unix flavors have similar facilities.
FreeBSD has "capsicum":
https://www.freebsd.org/cgi/man.cgi?query=cap_enter&sektion=2&n=1
but neither unveil() nor cap_enter() is sufficient. If it is possible
to download and save files, we also need hard limits on any code
executed as a side-effect of openining or running said files.
Otherwise, the protections is ultimately still porous.
--
Viktor.
More information about the cryptography
mailing list