-----Original Message----- From: Ted Byers <r.ted.byers@gmail.com> To: openSuSE List <opensuse@opensuse.org> Subject: [opensuse] Sandboxes or jails on OpenSuse? How? Or is it possible on OpenSuse Linux Date: Wed, 6 Nov 2013 22:06:41 -0500 I was talking with a UNIX admin today about security, and he recommended a strategy involving what are temed jails on FreeBSD. He did say, he has limited experience on Suse and Ubuntu. Hence, my question for this community. What do security experts working on Suse (or Ubuntu if you have experience with that - I have one box running Suse and one running Ubuntu so info related to either would be useful to me). He said the core idea is to put applications and/or users in a kind of jail, or a seriously constrained environment, so that they can do no harm to the system on which the applicatin is running, or which the user is using. This sounds like a great idea, reminiscient of the original security model Sun developed for the first Java Applets. -----Original Message----- Hi Ted, Remember with regards to security, there isn't a holy grail, eg a single solution that fits for all. It's more like an onion, layers upon layers upon layers. And regarding weeping: all security comes at a costs, the higher lever you want, the more you have to invest in (more complicated) installation-procedure, cpu-power and user-interaction. To be more to the point. Apparmor and selinux do provide additional security, but for for the faint-harted. You can separete functionalities into dedicated virtual machines. And even then, XEN provides a better isolation then LXC or KVM, but at a performance costs. And even in a VM, you can make jails. Security is not only proper identification/authentication but much more, like availability (DOS). Some functionalities you certainly do not want to share hardware one. For instance, my CA i fon't trust to _any_ hardware, so i keep mine on a bootable stick in a vault. And with respect to user-interaction: at one end of the spectrum you might do guest-user-accounts, single-sign-on. While at the other end, lengthy passwords for different functionalities. Multi-level authentication. Much can/has been said/written on the subject. Too few take it seriously. Hans -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org