Sandboxie equivalent for Mac?
August 5, 2008 7:54 AM Subscribe
Who knows of a program like Sandboxie but for the Mac?
Wikipedia's description:
Sandboxie is a sandbox-type isolation software for the Microsoft Windows operating system. It creates a "container" in which programs can be safely launched without modifying the host's OS.
What would you need it for? The point of Sandboxie is to run a program like IE on Windows without allowing rogue websites to harm your computer. That wouldn't be a problem on OSX (or Linux, or Vista for that matter).
posted by sinfony at 8:15 AM on August 5, 2008
posted by sinfony at 8:15 AM on August 5, 2008
This is a bit drastic, but the purest way to do this would be to use Parallels or VMWare Fusion to make a virtual machine, then trash it as you like. Save a duplicate of the hard disk "image" beforehand, and revert back as needed.
I use a bunch of these in one of my jobs to test software in various (Mac) versions and environments, especially software that might spew data all over or mangle the file system.
posted by rokusan at 8:36 AM on August 5, 2008
I use a bunch of these in one of my jobs to test software in various (Mac) versions and environments, especially software that might spew data all over or mangle the file system.
posted by rokusan at 8:36 AM on August 5, 2008
The backup software (I use it, I love it) SuperDuper! has a sandbox function (.pdf). The pro version of SuperDuper! isn't free, but it's worth it. I have not used the sandbox option, though, so I can't comment directly on that.
posted by rtha at 8:46 AM on August 5, 2008
posted by rtha at 8:46 AM on August 5, 2008
SuperDuper! offers a sandbox feature, which may or may not be what you're looking for. It seems to basically be a modified backup paradigm, but you can read the manual (PDF) to get more information.
posted by thejoshu at 8:51 AM on August 5, 2008
posted by thejoshu at 8:51 AM on August 5, 2008
You dont need this for the Mac. By default the user in OS X is a limited (non-root) user. By default in XP the user is not limited. So in XP, if you run as an administrator all the time, you might want to run some processed in a sandbox or with lesser permissions.
OS X is already doing this for you. If there's a system change involved then you'll get a pop-up box asking for your administrator password. In windows you can run as a limited user and avoid all the sandboxing.
posted by damn dirty ape at 8:56 AM on August 5, 2008
OS X is already doing this for you. If there's a system change involved then you'll get a pop-up box asking for your administrator password. In windows you can run as a limited user and avoid all the sandboxing.
posted by damn dirty ape at 8:56 AM on August 5, 2008
"It creates a "container" in which programs can be safely launched without modifying the host's OS. "
That's the default behavior of UNIX systems. If you want to take it beyond that and keep your suspect process from interacting with other user processes, what you're looking for is the "User Switching" feature. Create an account to run your application, switch the desktop to that account, run the application, and switch back. Accounts are the mechanism of privilege separation in the UNIX world.
It'd be neat to have this functionality integrated into a single-user desktop experience, and you could get close to it by abusing the sudo command, but the OSX WindowServer is a bit too trusting for this to be as airtight as you'd expect it to be.
posted by majick at 9:17 AM on August 5, 2008
That's the default behavior of UNIX systems. If you want to take it beyond that and keep your suspect process from interacting with other user processes, what you're looking for is the "User Switching" feature. Create an account to run your application, switch the desktop to that account, run the application, and switch back. Accounts are the mechanism of privilege separation in the UNIX world.
It'd be neat to have this functionality integrated into a single-user desktop experience, and you could get close to it by abusing the sudo command, but the OSX WindowServer is a bit too trusting for this to be as airtight as you'd expect it to be.
posted by majick at 9:17 AM on August 5, 2008
If you really want to run something in sandbox mode under OS X (leopard), just enable Guest Login (not sharing, just login at the login window as guest).
It is a one time account, has limited privileges (by default OS X users are Admin users, and can modify the applications folder and library folder without being prompted for a password, but they cannot make sweeping systems changes) and when you log out all modifications done in it are deleted.
Again, the first user still has admin privileges, if you want, create a second user without admin privileges, and then you can ONLY do system modifications by typing in the username and password of the first account.
posted by mrzarquon at 9:20 AM on August 5, 2008
It is a one time account, has limited privileges (by default OS X users are Admin users, and can modify the applications folder and library folder without being prompted for a password, but they cannot make sweeping systems changes) and when you log out all modifications done in it are deleted.
Again, the first user still has admin privileges, if you want, create a second user without admin privileges, and then you can ONLY do system modifications by typing in the username and password of the first account.
posted by mrzarquon at 9:20 AM on August 5, 2008
I'm going to disagree with people who say this is Unix based systems default behaviour. It's not. *nixs do have a well thought and implemented system of user and group access controls that limit what a particular user can do (but so do modern windows systems). However it is only as good as it is setup, and in my (admittedly limited) experience (I'm a linux sysadmin) OSX tends to be fairly lax. Even with well set upsystems can fall foul to exploits that can take an innocent process and exploit it to gain root level access. The traditional Unix approach to this problem is what's known as a chrooted jail. This traps a process within its own copy of the file system, and confines any potential damage there. There ar ea number of different ways of implementing this but googling chrooted jail should lead you in the right direction.
posted by tallus at 10:02 AM on August 5, 2008
posted by tallus at 10:02 AM on August 5, 2008
"Chroot is not and never has been a security tool. People have built things based upon the properties of chroot but extended (BSD jails, Linux vserver) but they are quite different." - Alan Cox
posted by PueExMachina at 8:00 PM on August 5, 2008
posted by PueExMachina at 8:00 PM on August 5, 2008
Response by poster: Is this the kind of thing you are looking for?
Not quite. I'm interested in something with a GUI
posted by concourse at 7:54 AM on August 7, 2008
Not quite. I'm interested in something with a GUI
posted by concourse at 7:54 AM on August 7, 2008
Response by poster: SuperDuper! offers a sandbox feature, which may or may not be what you're looking for. It seems to basically be a modified backup paradigm [...]
Never knew SuperDuper! had this feature. Still, it requires that one create a new 'Sandbox' partition, unlike Sandboxie -- which is a simple software install.
posted by concourse at 8:16 AM on August 7, 2008
Never knew SuperDuper! had this feature. Still, it requires that one create a new 'Sandbox' partition, unlike Sandboxie -- which is a simple software install.
posted by concourse at 8:16 AM on August 7, 2008
« Older How can I show all of my clients when I'm... | Would you like some live music with your coffee? Newer »
This thread is closed to new comments.
posted by o0dano0o at 8:13 AM on August 5, 2008 [1 favorite]