Skip to content
Running Safari via Leopard's sandbox-exec(1) to limit its privileges
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Sand-boxed Safari

What? Why?

Even Safari is not a 100% secure browser, Pwn2Own just demonstrated it again. But so are all browsers, there will always be zero-day exploits. Google's Chrome got not exploited in the contest. Why? Well, one reason is it uses sand-boxing.

But we love Safari, because it's Cocoa and feels like a real Mac app and stuff, right? So lets just make Safari more secure. Luckily Leopard provides a way to do this, it's called sandbox-exec(1).

This mini-project just uses Leopards bundled tools to ensure Safari can't execute other programs or write to files anywhere on the file-systems where it is not supposed to write to and this gives you way more security against exploits than a out of the box Safari has.

Even if an attacker gets into the Safari process, he will not be able to execute another process from it or write to critical file system paths to install something permanent on your system. This doesn't protect against the all attack-vectors but against the more common ones.

All this is based on what I found in wishi's blog post.


  1. Grab the tarball from GitHub

    curl -L > sandboxed-safari.tgz

  2. Extract it

    tar vxzf sandboxed-safari.tgz

  3. Switch to the directory

    cd torsten-sandboxed-safari<TAB>

  4. Run the customize.rb script

    ruby customize.rb
    This will patch the policy file and the wrapper script with the locations of the files on your Mac. You can also customize the 2 files on your own (it's not much work). But just using the script is way more convenient.

  5. Move all files to their proper locations

    mv /Applications/ /Applications/
    cp /Applications/
    cp /Applications/

  1. After this, try restarting Safari and try to download a file. If you can't save it to your home directory, everything should be working.


  1. Rename the original Safari executable
    mv /Applications/ /Applications/
  1. Delete the policy file
    rm /Applications/


I just tested it with Safari 3.2.1 (5525.27.1), I don't know how the 4.0 beta reacts to this.

In its current configuration it is not possible to download files do anywhere else than ~/Downloads/. If you want to have this feature you can just add the line


To the other write-allowed paths.

Also Sogudis man: URLs will not work anymore because Safari can not execute external processes anymore (whoops). You can probably change this my adjusting the policy file as well, I just did not put any efforts into it yet.

I did not encounter any other limitations or points where Safari provides less features in any other way.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.