# about security setting problem



## Raffeale (Feb 2, 2021)

hi all, I want to know that is there any method to set a program permission,for example  I don't want to let some programs access /bin or /etc ...
and I dont want to the program to launch other program how to do it without jail.


----------



## ShelLuser (Feb 2, 2021)

What exactly are you trying to achieve here? Because on a regular system there shouldn't be any issues with having access to directories such as /bin. Anyway, you could look into chroot(8) which is a relatively easy way to shield programs from the rest of the system. Anything beyond that might be doable using resource limits, see this link: Chapter 14. Security (freebsd.org).

Still, I can't help wonder if you're not trying to fight symptoms here.


----------



## Raffeale (Feb 2, 2021)

actually when firefox or other browser has bug, the hacker will run exploit code to attack your browser and get root by xorg bug. i just want to prevent it from attacking


----------



## ShelLuser (Feb 2, 2021)

As I mentioned: I think you're fighting symptoms here.

I mean... exploiting a possible browser bug _and_ an alleged local root exploit? That's a lot of assumptions.


----------



## chrbr (Feb 2, 2021)

Dear Raffeale,
may be https://forums.freebsd.org/threads/...-in-a-jail-using-iocage-and-ssh-jailme.53362/ is of interest for you.


----------



## olli@ (Feb 2, 2021)

If you’re really that paranoid, you should actually run your web browser inside a jail or VM (such as bhyve). It requires some work to set up, but you will learn a lot of useful things.

Keep in mind that the program will still need access to certain files in /bin, /etc and other system directories. Just to mention some examples, programs will typically need access to files like /etc/services, /etc/protocols, /etc/localtime and a bunch of others. Normally that shouldn’t pose a problem if you take the usual precautions. Have a look at the security(7) manual page for a start.


----------



## SirDice (Feb 2, 2021)

Raffeale said:


> actually when firefox or other browser has bug, the hacker will run exploit code to attack your browser and get root by xorg bug


The attacks (these are two separate attacks) will simply exploit structures and code that's already running and in memory. Most exploits don't require access to the filesystem.


----------



## Raffeale (Feb 2, 2021)

thanks alot for all reply! i will try the jail


----------



## Mjölnir (Feb 2, 2021)

For the isue to access certain paths, you can set up a filesystem firewall ugidfw(8) and consult the Handbook.  But as mentioned by SirDice, that does not prevent the exploits.


----------



## shkhln (Feb 3, 2021)

There a WIP Capsicum patch for Firefox somewhere in Mozilla's bug tracker. (Mind you, I don't actually want OP to find it — nothing good can come from this, so no link.)


----------

