New ask Hacker News story: Ask HN: Mac developers, how do you secure your environment?
Ask HN: Mac developers, how do you secure your environment?
2 by tetraodonpuffer | 1 comments on Hacker News.
Given that it seems nowadays impossible to run applications as a different user (as in, logged in as user1, run IntelliJ as user2) on a Mac, how do you protect yourself against random dependencies or curlbash installers doing things you wouldn’t want them to? Something like Little Snitch can protect against something POSTing your key vault or other sensitive data somewhere. SSH/GPG keys can be put on a token, but what else can you do besides running everything on docker or in a VM and having to pay the performance overhead? It would be nice if it was possible to run a space as a different “sub user” with no permission on the master user’s files (maybe done via screen sharing to localhost?) and/or being able to assign folder/file access permission on a whitelist/blacklist basis per process for example. I personally have ended up separating all my documents and important browsing (banking etc) to a separate computer I ONLY use for that (with separate browser profiles too, I wish you could run firejail on Mac btw), but it would be nice if there was a way to improve the situation for cases where that is not possible.
2 by tetraodonpuffer | 1 comments on Hacker News.
Given that it seems nowadays impossible to run applications as a different user (as in, logged in as user1, run IntelliJ as user2) on a Mac, how do you protect yourself against random dependencies or curlbash installers doing things you wouldn’t want them to? Something like Little Snitch can protect against something POSTing your key vault or other sensitive data somewhere. SSH/GPG keys can be put on a token, but what else can you do besides running everything on docker or in a VM and having to pay the performance overhead? It would be nice if it was possible to run a space as a different “sub user” with no permission on the master user’s files (maybe done via screen sharing to localhost?) and/or being able to assign folder/file access permission on a whitelist/blacklist basis per process for example. I personally have ended up separating all my documents and important browsing (banking etc) to a separate computer I ONLY use for that (with separate browser profiles too, I wish you could run firejail on Mac btw), but it would be nice if there was a way to improve the situation for cases where that is not possible.
Comments
Post a Comment