Skip to content
/ Xsunaba Public

Sandbox X11 applications on OpenBSD

License

MIT license
6 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

morgant/Xsunaba

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
bin
bin
 
 
man
man
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

Xsunaba

OVERVIEW

A utility to run X11 (or just X) applications in a rudimentary sandbox ('sunaba' from Japanese) to limit access to your files and X11 events (especially keyboard input.) The 'sandbox' consists of:

  1. A separate local user account under which the X11 application will be run, restricting access to your user files (assuming appropriate permissions are in place)
  2. A separate X session created and rendered into a window within your running X display using Xephyr, preventing the sandboxed X application from snooping on X11 events in the parent X session & display

IMPORTANT: this does not guarantee access is prevented outside the sandbox user & display, but should be at least marginally safer.

This is based on a script by Milosz Galazka (see Internet Archive's Wayback Machine archive) and ported to OpenBSD.

For those using Xsunaba under OpenBSD, some X11 applications in ports utilize the pledge(2) & unveil(2) functions to further restrict access to the filesystem.

PREREQUISITES

USAGE

  1. Add an xsunaba user:

     doas useradd -m xsunaba

  2. Add an entry to your /etc/doas.conf allowing your user passwordless access to the xsunaba user (replacing <USER> with your username):

     permit nopass <USER> as xsunaba

  3. Prefix your X11 application command with Xsunaba, for example:

     Xsunaba chrome --incognito &

 Xsunaba firefox --private-window &

Note: Xsunaba will automatically apply window geometry hacks to fit to the Xephyr display for the following X11 applications: chrome, and firefox.

ADVANCED USAGE

The following environment variables may be set the change Xsunaba's behavior:

  • VERBOSE: Set to true to show verbose output. Default: false.
  • XSUNABA_DISPLAY: Set a custom display number (incl. leading colon) to start Xephyr displays at. Default: :32.
  • XSUNABA_USER: Set a username to run X11 application as. Default: xsunaba.
  • WIDTH: Set a custom Xephyr display width in pixels. Default: 1024.
  • HEIGHT: Set a custom Xephyr display height in pixels. Default: 768.

Shared Files

If you want to share some files beween your user and the xsunaba user, it is suggested that you create a directory owned by the xsunaba user and grant group access to it to your user's group (generally the same as your user's name). It is best to only move specific files into and out of this shared directory as needed, not permanently store data in it, as any X11 application run using Xsunaba will have access to it.

IMPORTANT: This will weaken the security of your sandbox!

LICENSE

Released under the MIT License by permission.

About

Sandbox X11 applications on OpenBSD

Topics

openbsd sandbox x11 xephyr

Resources

Readme

License

MIT license
Activity

Stars

6 stars

Watchers

5 watching

Forks

0 forks
Report repository

Releases 3

0.3.0 Latest
Feb 15, 2020
+ 2 releases

Packages

No packages published

Languages