Sandboxie equivalent for Mac?
August 5, 2008 7:54 AM   Subscribe

Is this the kind of thing you are looking for?
posted by o0dano0o at 8:13 AM on August 5, 2008 [1 favorite]

What would you need it for? The point of Sandboxie is to run a program like IE on Windows without allowing rogue websites to harm your computer. That wouldn't be a problem on OSX (or Linux, or Vista for that matter).
posted by sinfony at 8:15 AM on August 5, 2008

This is a bit drastic, but the purest way to do this would be to use Parallels or VMWare Fusion to make a virtual machine, then trash it as you like. Save a duplicate of the hard disk "image" beforehand, and revert back as needed.

I use a bunch of these in one of my jobs to test software in various (Mac) versions and environments, especially software that might spew data all over or mangle the file system.
posted by rokusan at 8:36 AM on August 5, 2008

The backup software (I use it, I love it) SuperDuper! has a sandbox function (.pdf). The pro version of SuperDuper! isn't free, but it's worth it. I have not used the sandbox option, though, so I can't comment directly on that.
posted by rtha at 8:46 AM on August 5, 2008

SuperDuper! offers a sandbox feature, which may or may not be what you're looking for. It seems to basically be a modified backup paradigm, but you can read the manual (PDF) to get more information.
posted by thejoshu at 8:51 AM on August 5, 2008

You dont need this for the Mac. By default the user in OS X is a limited (non-root) user. By default in XP the user is not limited. So in XP, if you run as an administrator all the time, you might want to run some processed in a sandbox or with lesser permissions.

OS X is already doing this for you. If there's a system change involved then you'll get a pop-up box asking for your administrator password. In windows you can run as a limited user and avoid all the sandboxing.
posted by damn dirty ape at 8:56 AM on August 5, 2008

"It creates a "container" in which programs can be safely launched without modifying the host's OS. "

That's the default behavior of UNIX systems. If you want to take it beyond that and keep your suspect process from interacting with other user processes, what you're looking for is the "User Switching" feature. Create an account to run your application, switch the desktop to that account, run the application, and switch back. Accounts are the mechanism of privilege separation in the UNIX world.

It'd be neat to have this functionality integrated into a single-user desktop experience, and you could get close to it by abusing the sudo command, but the OSX WindowServer is a bit too trusting for this to be as airtight as you'd expect it to be.
posted by majick at 9:17 AM on August 5, 2008

If you really want to run something in sandbox mode under OS X (leopard), just enable Guest Login (not sharing, just login at the login window as guest).

It is a one time account, has limited privileges (by default OS X users are Admin users, and can modify the applications folder and library folder without being prompted for a password, but they cannot make sweeping systems changes) and when you log out all modifications done in it are deleted.

Again, the first user still has admin privileges, if you want, create a second user without admin privileges, and then you can ONLY do system modifications by typing in the username and password of the first account.
posted by mrzarquon at 9:20 AM on August 5, 2008

I'm going to disagree with people who say this is Unix based systems default behaviour. It's not. *nixs do have a well thought and implemented system of user and group access controls that limit what a particular user can do (but so do modern windows systems). However it is only as good as it is setup, and in my (admittedly limited) experience (I'm a linux sysadmin) OSX tends to be fairly lax. Even with well set upsystems can fall foul to exploits that can take an innocent process and exploit it to gain root level access. The traditional Unix approach to this problem is what's known as a chrooted jail. This traps a process within its own copy of the file system, and confines any potential damage there. There ar ea number of different ways of implementing this but googling chrooted jail should lead you in the right direction.
posted by tallus at 10:02 AM on August 5, 2008

"Chroot is not and never has been a security tool. People have built things based upon the properties of chroot but extended (BSD jails, Linux vserver) but they are quite different." - Alan Cox
posted by PueExMachina at 8:00 PM on August 5, 2008

« Older What is the best way for me to...   |   What are some small live music... Newer »

This thread is closed to new comments.