Reputation: 16825
Unique Process Permissions Linux
Is there a way to give a process on Linux based systems unique permissions in C? I basically want to restrict a process (launched by a host, like an event handler) from editing any files outside it's working directory, and creating sockets and such.
Would the only way to do it is to have a host process create a new user for each process it spawns and destroy the user afterwards?
Upvotes: 0
Views: 355
Answers (2)
Reputation: 1
You could use old setuid techniques to switch your process to the nobody uid and nogroup gid. Theses ids are designed to make a process unable to write any files (except inside all-writable directories).
Upvotes: 1
Reputation: 25129
The standard answer to this is chroot, which sets the process's root directory (and that of its children) to be the given directory.
However, if you want a better answer allowing you to isolate all aspects of the process and not just its file system, look at the unshare system call (wrapped in a modern glibc as a function). This is how containers are built.
Upvotes: 2
Related Questions
- Changing capabilities of the process
- How to protect the memory shared between processes in Linux
- setuid create one child process
- Allow some processes to read and write a directory and deny rest of all processes
- Operating systems: implementing process IDs
- File permissions for a process in C
- User id and Group id in Linux
- Limiting access to a file based on process group
- How to restrict write access to a Linux directory by process attributes?
- Preventing multiple process instances on Linux