What: How can I restrict any number of client applications on a large-scale system, so that incoming data cannot be executed nor can it read or written to beyond the application’s sandbox?
Explained: The point here is to restrict all incoming data in a manner that malware is automatically incapacitated. I would like to do this without creating thousands of extra user accounts (since cache data and other application data must remain private) for each user’s applications.
Why: anti-virus tools can only respond to what they know, if this data is locked down in a manner that makes unknown code so limited in scope as to be ineffective, than neither viruses nor application bugs in the client software matter.
Windows: Could handle this problem by creating a single new account called “client_apps” or the like. This account would have its ability to bypass traverse checking disabled in the security policy. This account would only have the minimal rights over each client application’s user space. Cache files and such would be moved in the user templates to be lateral to each other, and disable directory traversal would be enabled on the root of each application’s paths. Other specific rights over objects like printers could be enabled as well. This prevents different users using the same client_app account from violating privacy and prevents different applications by the same user utilizing the same client_app account from transitioning data from one client to another surreptitiously. There is no increase in overhead aside from the addition of a single user for any sized/complexity system.
My Understanding: My understanding is that Linux has effectively no capacity for this at all. You could create a new account for every single user for each client client_bob_email, client_bob_web, client_jack_email, etc and give each appropriate rights… but with a moderately sized system of 2000 users and only five applications, you now have an extra 10,000 accounts to manage. Another approach would be to use a single account, and jail every single client application process, but then you have trouble with the normal user interacting across the jails, plus the increased overhead and complexity of having thousands of jails running.
Reply With Quote