Launch a process with limited permissions
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I'd like to be able to launch processes with very limited permissions from the command line, basically so that I can run a process that I don't understand without it having access to things in my user area. For example, if I get a package from some colleague who has a tendency to write overly intrusive installers, I could do something like this:
> subdo make
would run make in such that it wouldn't be allowed to touch any parent directories. Does any such functionality exist in Unix?
command-line permissions sandbox
asked Jun 29 '13 at 15:42
ShepShep
336147
add a comment |
I'd like to be able to launch processes with very limited permissions from the command line, basically so that I can run a process that I don't understand without it having access to things in my user area. For example, if I get a package from some colleague who has a tendency to write overly intrusive installers, I could do something like this:
> subdo make
would run make in such that it wouldn't be allowed to touch any parent directories. Does any such functionality exist in Unix?
command-line permissions sandbox
asked Jun 29 '13 at 15:42
ShepShep
336147
1
You are looking for chroot, also called "BSD-jails".
– Johan
Jun 29 '13 at 16:04
add a comment |
I'd like to be able to launch processes with very limited permissions from the command line, basically so that I can run a process that I don't understand without it having access to things in my user area. For example, if I get a package from some colleague who has a tendency to write overly intrusive installers, I could do something like this:
> subdo make
would run make in such that it wouldn't be allowed to touch any parent directories. Does any such functionality exist in Unix?
command-line permissions sandbox
asked Jun 29 '13 at 15:42
ShepShep
336147
I'd like to be able to launch processes with very limited permissions from the command line, basically so that I can run a process that I don't understand without it having access to things in my user area. For example, if I get a package from some colleague who has a tendency to write overly intrusive installers, I could do something like this:
> subdo make
would run make in such that it wouldn't be allowed to touch any parent directories. Does any such functionality exist in Unix?
command-line permissions sandbox
command-line permissions sandbox
asked Jun 29 '13 at 15:42
ShepShep
336147
asked Jun 29 '13 at 15:42
ShepShep
336147
asked Jun 29 '13 at 15:42
ShepShep
336147
asked Jun 29 '13 at 15:42
ShepShep
336147
asked Jun 29 '13 at 15:42
ShepShep
336147
336147
1
You are looking for chroot, also called "BSD-jails".
– Johan
Jun 29 '13 at 16:04
add a comment |
1
You are looking for chroot, also called "BSD-jails".
– Johan
Jun 29 '13 at 16:04
1
1
You are looking for chroot, also called "BSD-jails".
– Johan
Jun 29 '13 at 16:04
You are looking for chroot, also called "BSD-jails".
– Johan
Jun 29 '13 at 16:04
add a comment |
3 Answers
3
active
oldest
votes
The simplest way is to use the nobody account:
sudo -u nobody make
nobody should never have permission to write to anything other than world writable files.
answered Jun 30 '13 at 6:45
bahamatbahamat
24.9k15090
add a comment |
would run make in such that it wouldn't be allowed to touch any parent directories.
This basically describes chroot:
- http://en.wikipedia.org/wiki/Chroot
- https://wiki.archlinux.org/index.php/Change_Root
Note that, however, when you chroot the process will not have access to anything except the folders under the new root. That means that e.g. if the process needs to run some programs from e.g. /usr/bin or e.g. load some shared libraries from /usr/lib, it won't be able to do that unless you actually copy these under the new root. It really depends on the program you are trying to run.
You can find a lot of tutorials for different programs, e.g. here's a sample BIND chroot tutorial:
- http://www.tldp.org/HOWTO/Chroot-BIND8-HOWTO-2.html
edited 3 hours ago
Rui F Ribeiro
41.9k1483142
answered Jun 29 '13 at 16:13
icyrock.comicyrock.com
49836
1
Note that chroot is only useful against cooperative programs. A malicious program can easily escape the chroot unless you take a lot of extra precautions. For starters, there must be no process that the chrooted process canptrace(so no process running as the same user outside the chroot, or non-parentptracedisabled). Other bad things the chrooted process can do include network access (disable it for that user withiptables -m owner --uid-owner …), fork bombs (set stringent limits), etc.
– Gilles
Jun 29 '13 at 23:26
Agree, thanks for the additional info Gilles!
– icyrock.com
Jul 1 '13 at 0:13
add a comment |
en.wikipedia.org: Systrace
OpenBsd man page
Generate policy:
systrace -A -d /etc/systrace/make.policy/
-E /var/log/systrace_make.log make
Edit policy with your favorite text editor:
vi /etc/systrace/make.policy/
Thereafter, launch process with restrictions:
systrace -a -d /etc/systrace/make.policy/
-E /var/log/systrace_make.log make
Look at my another one answer about using systrace with sshd
edited Apr 13 '17 at 12:36
Community♦
1
answered Jul 6 '13 at 15:20
stackexchangerstackexchanger
28514
While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes.
– manatwork
Jul 6 '13 at 16:07
I will explain now how to use systrace, better. But anyway, wikipedia links, while openbsd and linux keep using systrace, should not be changed.
– stackexchanger
Jul 6 '13 at 16:10
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f81146%2flaunch-a-process-with-limited-permissions%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
The simplest way is to use the nobody account:
sudo -u nobody make
nobody should never have permission to write to anything other than world writable files.
answered Jun 30 '13 at 6:45
bahamatbahamat
24.9k15090
add a comment |
The simplest way is to use the nobody account:
sudo -u nobody make
nobody should never have permission to write to anything other than world writable files.
answered Jun 30 '13 at 6:45
bahamatbahamat
24.9k15090
add a comment |
The simplest way is to use the nobody account:
sudo -u nobody make
nobody should never have permission to write to anything other than world writable files.
answered Jun 30 '13 at 6:45
bahamatbahamat
24.9k15090
The simplest way is to use the nobody account:
sudo -u nobody make
nobody should never have permission to write to anything other than world writable files.
answered Jun 30 '13 at 6:45
bahamatbahamat
24.9k15090
answered Jun 30 '13 at 6:45
bahamatbahamat
24.9k15090
answered Jun 30 '13 at 6:45
bahamatbahamat
24.9k15090
answered Jun 30 '13 at 6:45
bahamatbahamat
24.9k15090
24.9k15090
add a comment |
add a comment |
would run make in such that it wouldn't be allowed to touch any parent directories.
This basically describes chroot:
- http://en.wikipedia.org/wiki/Chroot
- https://wiki.archlinux.org/index.php/Change_Root
Note that, however, when you chroot the process will not have access to anything except the folders under the new root. That means that e.g. if the process needs to run some programs from e.g. /usr/bin or e.g. load some shared libraries from /usr/lib, it won't be able to do that unless you actually copy these under the new root. It really depends on the program you are trying to run.
You can find a lot of tutorials for different programs, e.g. here's a sample BIND chroot tutorial:
- http://www.tldp.org/HOWTO/Chroot-BIND8-HOWTO-2.html
edited 3 hours ago
Rui F Ribeiro
41.9k1483142
answered Jun 29 '13 at 16:13
icyrock.comicyrock.com
49836
1
Note that chroot is only useful against cooperative programs. A malicious program can easily escape the chroot unless you take a lot of extra precautions. For starters, there must be no process that the chrooted process canptrace(so no process running as the same user outside the chroot, or non-parentptracedisabled). Other bad things the chrooted process can do include network access (disable it for that user withiptables -m owner --uid-owner …), fork bombs (set stringent limits), etc.
– Gilles
Jun 29 '13 at 23:26
Agree, thanks for the additional info Gilles!
– icyrock.com
Jul 1 '13 at 0:13
add a comment |
would run make in such that it wouldn't be allowed to touch any parent directories.
This basically describes chroot:
- http://en.wikipedia.org/wiki/Chroot
- https://wiki.archlinux.org/index.php/Change_Root
Note that, however, when you chroot the process will not have access to anything except the folders under the new root. That means that e.g. if the process needs to run some programs from e.g. /usr/bin or e.g. load some shared libraries from /usr/lib, it won't be able to do that unless you actually copy these under the new root. It really depends on the program you are trying to run.
You can find a lot of tutorials for different programs, e.g. here's a sample BIND chroot tutorial:
- http://www.tldp.org/HOWTO/Chroot-BIND8-HOWTO-2.html
edited 3 hours ago
Rui F Ribeiro
41.9k1483142
answered Jun 29 '13 at 16:13
icyrock.comicyrock.com
49836
1
Note that chroot is only useful against cooperative programs. A malicious program can easily escape the chroot unless you take a lot of extra precautions. For starters, there must be no process that the chrooted process canptrace(so no process running as the same user outside the chroot, or non-parentptracedisabled). Other bad things the chrooted process can do include network access (disable it for that user withiptables -m owner --uid-owner …), fork bombs (set stringent limits), etc.
– Gilles
Jun 29 '13 at 23:26
Agree, thanks for the additional info Gilles!
– icyrock.com
Jul 1 '13 at 0:13
add a comment |
would run make in such that it wouldn't be allowed to touch any parent directories.
This basically describes chroot:
- http://en.wikipedia.org/wiki/Chroot
- https://wiki.archlinux.org/index.php/Change_Root
Note that, however, when you chroot the process will not have access to anything except the folders under the new root. That means that e.g. if the process needs to run some programs from e.g. /usr/bin or e.g. load some shared libraries from /usr/lib, it won't be able to do that unless you actually copy these under the new root. It really depends on the program you are trying to run.
You can find a lot of tutorials for different programs, e.g. here's a sample BIND chroot tutorial:
- http://www.tldp.org/HOWTO/Chroot-BIND8-HOWTO-2.html
edited 3 hours ago
Rui F Ribeiro
41.9k1483142
answered Jun 29 '13 at 16:13
icyrock.comicyrock.com
49836
would run make in such that it wouldn't be allowed to touch any parent directories.
This basically describes chroot:
- http://en.wikipedia.org/wiki/Chroot
- https://wiki.archlinux.org/index.php/Change_Root
Note that, however, when you chroot the process will not have access to anything except the folders under the new root. That means that e.g. if the process needs to run some programs from e.g. /usr/bin or e.g. load some shared libraries from /usr/lib, it won't be able to do that unless you actually copy these under the new root. It really depends on the program you are trying to run.
You can find a lot of tutorials for different programs, e.g. here's a sample BIND chroot tutorial:
- http://www.tldp.org/HOWTO/Chroot-BIND8-HOWTO-2.html
edited 3 hours ago
Rui F Ribeiro
41.9k1483142
answered Jun 29 '13 at 16:13
icyrock.comicyrock.com
49836
edited 3 hours ago
Rui F Ribeiro
41.9k1483142
edited 3 hours ago
Rui F Ribeiro
41.9k1483142
edited 3 hours ago
Rui F Ribeiro
41.9k1483142
41.9k1483142
answered Jun 29 '13 at 16:13
icyrock.comicyrock.com
49836
answered Jun 29 '13 at 16:13
icyrock.comicyrock.com
49836
answered Jun 29 '13 at 16:13
icyrock.comicyrock.com
49836
49836
1
Note that chroot is only useful against cooperative programs. A malicious program can easily escape the chroot unless you take a lot of extra precautions. For starters, there must be no process that the chrooted process canptrace(so no process running as the same user outside the chroot, or non-parentptracedisabled). Other bad things the chrooted process can do include network access (disable it for that user withiptables -m owner --uid-owner …), fork bombs (set stringent limits), etc.
– Gilles
Jun 29 '13 at 23:26
Agree, thanks for the additional info Gilles!
– icyrock.com
Jul 1 '13 at 0:13
add a comment |
1
Note that chroot is only useful against cooperative programs. A malicious program can easily escape the chroot unless you take a lot of extra precautions. For starters, there must be no process that the chrooted process canptrace(so no process running as the same user outside the chroot, or non-parentptracedisabled). Other bad things the chrooted process can do include network access (disable it for that user withiptables -m owner --uid-owner …), fork bombs (set stringent limits), etc.
– Gilles
Jun 29 '13 at 23:26
Agree, thanks for the additional info Gilles!
– icyrock.com
Jul 1 '13 at 0:13
1
1
Note that chroot is only useful against cooperative programs. A malicious program can easily escape the chroot unless you take a lot of extra precautions. For starters, there must be no process that the chrooted process can
ptrace (so no process running as the same user outside the chroot, or non-parent ptrace disabled). Other bad things the chrooted process can do include network access (disable it for that user with iptables -m owner --uid-owner …), fork bombs (set stringent limits), etc.– Gilles
Jun 29 '13 at 23:26
Note that chroot is only useful against cooperative programs. A malicious program can easily escape the chroot unless you take a lot of extra precautions. For starters, there must be no process that the chrooted process can
ptrace (so no process running as the same user outside the chroot, or non-parent ptrace disabled). Other bad things the chrooted process can do include network access (disable it for that user with iptables -m owner --uid-owner …), fork bombs (set stringent limits), etc.– Gilles
Jun 29 '13 at 23:26
Agree, thanks for the additional info Gilles!
– icyrock.com
Jul 1 '13 at 0:13
Agree, thanks for the additional info Gilles!
– icyrock.com
Jul 1 '13 at 0:13
add a comment |
en.wikipedia.org: Systrace
OpenBsd man page
Generate policy:
systrace -A -d /etc/systrace/make.policy/
-E /var/log/systrace_make.log make
Edit policy with your favorite text editor:
vi /etc/systrace/make.policy/
Thereafter, launch process with restrictions:
systrace -a -d /etc/systrace/make.policy/
-E /var/log/systrace_make.log make
Look at my another one answer about using systrace with sshd
edited Apr 13 '17 at 12:36
Community♦
1
answered Jul 6 '13 at 15:20
stackexchangerstackexchanger
28514
While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes.
– manatwork
Jul 6 '13 at 16:07
I will explain now how to use systrace, better. But anyway, wikipedia links, while openbsd and linux keep using systrace, should not be changed.
– stackexchanger
Jul 6 '13 at 16:10
add a comment |
en.wikipedia.org: Systrace
OpenBsd man page
Generate policy:
systrace -A -d /etc/systrace/make.policy/
-E /var/log/systrace_make.log make
Edit policy with your favorite text editor:
vi /etc/systrace/make.policy/
Thereafter, launch process with restrictions:
systrace -a -d /etc/systrace/make.policy/
-E /var/log/systrace_make.log make
Look at my another one answer about using systrace with sshd
edited Apr 13 '17 at 12:36
Community♦
1
answered Jul 6 '13 at 15:20
stackexchangerstackexchanger
28514
While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes.
– manatwork
Jul 6 '13 at 16:07
I will explain now how to use systrace, better. But anyway, wikipedia links, while openbsd and linux keep using systrace, should not be changed.
– stackexchanger
Jul 6 '13 at 16:10
add a comment |
en.wikipedia.org: Systrace
OpenBsd man page
Generate policy:
systrace -A -d /etc/systrace/make.policy/
-E /var/log/systrace_make.log make
Edit policy with your favorite text editor:
vi /etc/systrace/make.policy/
Thereafter, launch process with restrictions:
systrace -a -d /etc/systrace/make.policy/
-E /var/log/systrace_make.log make
Look at my another one answer about using systrace with sshd
edited Apr 13 '17 at 12:36
Community♦
1
answered Jul 6 '13 at 15:20
stackexchangerstackexchanger
28514
en.wikipedia.org: Systrace
OpenBsd man page
Generate policy:
systrace -A -d /etc/systrace/make.policy/
-E /var/log/systrace_make.log make
Edit policy with your favorite text editor:
vi /etc/systrace/make.policy/
Thereafter, launch process with restrictions:
systrace -a -d /etc/systrace/make.policy/
-E /var/log/systrace_make.log make
Look at my another one answer about using systrace with sshd
edited Apr 13 '17 at 12:36
Community♦
1
answered Jul 6 '13 at 15:20
stackexchangerstackexchanger
28514
edited Apr 13 '17 at 12:36
Community♦
1
edited Apr 13 '17 at 12:36
Community♦
1
edited Apr 13 '17 at 12:36
Community♦
1
1
answered Jul 6 '13 at 15:20
stackexchangerstackexchanger
28514
answered Jul 6 '13 at 15:20
stackexchangerstackexchanger
28514
answered Jul 6 '13 at 15:20
stackexchangerstackexchanger
28514
28514
While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes.
– manatwork
Jul 6 '13 at 16:07
I will explain now how to use systrace, better. But anyway, wikipedia links, while openbsd and linux keep using systrace, should not be changed.
– stackexchanger
Jul 6 '13 at 16:10
add a comment |
While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes.
– manatwork
Jul 6 '13 at 16:07
I will explain now how to use systrace, better. But anyway, wikipedia links, while openbsd and linux keep using systrace, should not be changed.
– stackexchanger
Jul 6 '13 at 16:10
While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes.
– manatwork
Jul 6 '13 at 16:07
While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes.
– manatwork
Jul 6 '13 at 16:07
I will explain now how to use systrace, better. But anyway, wikipedia links, while openbsd and linux keep using systrace, should not be changed.
– stackexchanger
Jul 6 '13 at 16:10
I will explain now how to use systrace, better. But anyway, wikipedia links, while openbsd and linux keep using systrace, should not be changed.
– stackexchanger
Jul 6 '13 at 16:10
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f81146%2flaunch-a-process-with-limited-permissions%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
You are looking for chroot, also called "BSD-jails".
– Johan
Jun 29 '13 at 16:04