Make isolated build or any shell command

Question

Please, give me a hint to the simplest and lightest solution to isolate a linux shell script (usually ubuntu in case it has smth special)

What I mean about isolation: 1. Filesystem - the most important - I want it cannot access any folders (read) outside workspace except those I will manually configure in some way 2. actually, other types of isolation does not matter

It is ok for "soft" isolation, I mean script may just fail/aborted if trying to access(read) denied paths, but "hard" isolation to get "Not found" for such attempts looks like a cleaner solution

I do not need any process isolations, script may use sudo/fakeroot/etc. inside it, but this should not affect isolation.

Also, I plan to use different isolations inside one workspace:

for ex., I have folders:

a/
b/
include/
target/

I want to make a giving it access only to "a"(rw), "include"(r) and "target" (rw+sudo) make b giving it access only to "b"(rw), "include"(r) and "target" (rw+sudo)

and target will get both results from A and B, allowing B overwrite anything of results of A - the same if there is no isolation

The target of isolation I'm talking about is to prevent B reading from A, even knowing that there is A and vice versa

Thanks!

Answer 1

Two different users and SSH is a simple way to solve your problem. One of the key benefits is that this will start a "clean" environment in a new shell.

ssh <user_a>@localhost '<path_to_build_script_a>'
ssh <user_b>@localhost '<path_to_build_script_b>'

User a and b must both be members of the group that owns common directories.

Note that it's the directory write permission that decide if a user can create new files inside that directory.

Edit: 2013-07-29

For lots of sequential isolated builds like in your case, one solution is to do as you already have suggested; automate file permission changes so that each build only have access to the files and folders it should.