Restrict access for STRAP to your files

To run untrusted software safely, you can create a new user account and run the Web-browser from this new account. It might be necessary to specify the Web-proxy for the browser if the Web-browser cannot access the Internet directly. All programs started from this Browser instance are running with the new user ID and cannot modify your files.

Usually your files can be read but not modified by other users. With more restrictive file permissions, files can be prevented from being read by other users.

File permissions are set with the WIKI:Context_menu (right-click the file) or with the shell command chmod. On Mac-OS file permissions are set in Finder ==> File ==> Get Info ==> Ownership and Permissions ==> Details

Mac-OSX

Create a new user sandbox

Apple menu ==> System preferences ==> Accounts
Open the terminal shell

Finder ==> Applications ==> Utilities ==> Terminal
Copy and paste the following two lines into the terminal of your account. Short explanation: The "echo" command writes the text enclosed in single quotes into the script file on the Desktop. The chmod command makes the script file executable ( +x means can be executed). Script files must have the ending ".command" and must have the file permission "executable".
```
 echo 'su - sandbox -c "open -a safari"'    >    ~/Desktop/safariInSandbox.command
 chmod +x ~/Desktop/safariInSandbox.command

         
```
Now double click the script file "dataFiles/safariInSandbox.command", which is on the Desktop. You will be prompted for the password for user sandbox. After entering the correct password Safari will start.

In case of problems you can enter the "su"-command enclosed in single quotes directly into the terminal so that you can read the error messages that might appear. Type "man su" for documentation of the command "su".

Linux/Unix

First create another user account "sandbox". In the following, a simple method to log-in as sandbox is described first. If this simple way fails due to security settings, then the second, more complicated way, will work for you.

The simple way: The command su
With the command su you can become another user. Type the shell command:
```
 su - sandbox
        
```
The password for "sandbox" will be requested. Check whether Who-am-I, correctly returns "sandbox".
```
 whoami
        
```
No you can start the browser:
```
 firefox
        
```
If the "su"-command works you can create shell script or an alias for convenience with the following content:
```
 su - sandbox -c firefox
        
```
However, if the "su"-command fails due to strict security settings there is a slight chance to get it working by adding yourself to the group "wheel". There is a forum discussion on this matter.
The more complicated way in case the other method failed: Sending an xterm to the X-Windows
Allow connections to the X-server:
```
 xhost +
        
```
Use a login shell to login as sandbox. Under Linux you have login shells at the text-consoles, which are opened with CTRL+ALT+F1 or CTRL+ALT+F2 ... CTRL+ALT+F6. At the shell prompt of sandbox type
```
 xterm -display :0.0  -bg yellow
        
```
Return to the X-Windows by typing CTRL+ALT+F7. Usually it is F7 but it might also be F3, F4 ... F9. Find the yellow xterm. Launch the browser e.g. Firefox in this yellow xterm.
```
 firefox &
        
```

Last modified: Sat Mar 7 16:20:19 Local time zone must be set--see zic manual page 2009 x