By Dave Young -
yeah it seems pretty good and centrally configurable and all that stuff most admins would agree are handy.
in windows its a bit "clunkier", but i just built a light linux vm that runs the same chrooted browser as a linux workstation, and bridge the two ethernet interfaces (host and guest) and then trash all the outgoing packets from the windows ip with firewall rules / gpo or whatever. we get sound and flash and java and gnome-mplayer and all the regular crap people like about the internet, but it can't touch your data.
From: "Todd Smith" <todd@sohovfx.com>
To: discuss@studiosysadmins.com
Sent: Wednesday, April 3, 2013 5:13:20 PM
Subject: Re: [SSA-Discuss] Seperation of Church (content) and State (intrawebs).
To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe
To: discuss@studiosysadmins.com
Sent: Wednesday, April 3, 2013 5:13:20 PM
Subject: Re: [SSA-Discuss] Seperation of Church (content) and State (intrawebs).
@Brian - yes of course this is a constant battle with project requirements, but overall I think it would also lessen my load in terms of forensic analysis, crawling through logs etc.
@Willem - that was our first test a few years back, the biggest issue is sound passthrough and of course load balancing the backend because you know there's that guy with like 20 tabs worth of flashgames open. It's a solution but its not really manageable, we also found that you can still transfer files to the application server (you can't seperate scp from ssh).
@DY - This is interesting.
Todd Smith
Head of Information Technology
soho vfx |
99 Atlantic Ave. Suite 303, Toronto, Ontario M6K 3J8
office: (416) 516-7863 fax: (416) 516-9682 web: sohovfx.com
we have accomplished this by way of a chroot jail that has everything you need to run firefox 17 (with glibc etc from centos 6.2)just built a simple jail served over nfs from an export one level above the projects so that the browser has literally zero access to any project files. you can't upload or download anything from the internet. want some reference? that's where you need to go to your PM (or other exempt machine / user) and say "download this for me".the workstations use a helper program called schroot to chroot and launch in one go, and using clever tricks in the chroot bashrc to instantly kill the session after firefox closes no one can tamper with the jail. not that that would make a difference cause again, you literally cannot access project files from the jail or the jail from outside of the jail (as a regular user).-DY
To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe
To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe