Reputation: 4135
Creating temporary sandbox environment in unix
Just wondering is there any way to create a temporary sandbox environment for running commands?
My requirement is that i am hosting a webservice in unix and i need to execute a commanline tool to return output to the webservice client. since i am passing the values received from the client to the commanline tool, i would like to execute the commands in sandboxed environment.
Upvotes: 4
Views: 3509
Answers (3)
Reputation: 404
I routinely develop in sandboxes in Debian Linux and like to use chroots so that I don't destroy my host machine in case I do something stupid by accident (which happens a lot). I put together a set of scripts for Debian and Ubuntu for me to create chroots (both cross-distro and x86 in x86-64) which you may find helpful.
https://github.com/vtonehundred/vroot
Upvotes: 1
Reputation: 6317
You didn't say which Unix. Solaris zones do that easily. Here's an example how to set one up:
http://www.solarisinternals.com/wiki/index.php/Zones
Upvotes: 1
Reputation: 186
I'm not sure but, you can try to use the "chroot" command to create new "root" enviroment, for example,
If you have the directory structure and you want to "protect" the "license" file,
/
/etc
+ license
/bin
+ ls
/lib
+ ...
You can create a chroot enviroment as
itily@openzooey:~$ mkdir chroot_example
itily@openzooey:~$ cd chroot_example/
itily@openzooey:~/chroot_example$ mkdir -p usr/lib lib bin etc
itily@openzooey:~/chroot_example$ cd bin/
itily@openzooey:~/chroot_example/bin$ cp /bin/ls .
itily@openzooey:~/chroot_example/bin$ ldd ls
libsec.so.1 => /lib/libsec.so.1
libnvpair.so.1 => /lib/libnvpair.so.1
libcmdutils.so.1 => /lib/libcmdutils.so.1
libcurses.so.1 => /lib/libcurses.so.1
libc.so.1 => /lib/libc.so.1
libavl.so.1 => /lib/libavl.so.1
libidmap.so.1 => /usr/lib/libidmap.so.1
libnsl.so.1 => /lib/libnsl.so.1
libuutil.so.1 => /lib/libuutil.so.1
libmp.so.2 => /lib/libmp.so.2
libmd.so.1 => /lib/libmd.so.1
libm.so.2 => /lib/libm.so.2
Now populate the "shared lib" required by the ls command (using the ldd we know which are the required shared libs
itily@openzooey:~/chroot_example/bin$ ldd ls |awk '{print "cp "$3" lib/"}'
cp /lib/libsec.so.1 lib/
cp /lib/libnvpair.so.1 lib/
cp /lib/libcmdutils.so.1 lib/
cp /lib/libcurses.so.1 lib/
cp /lib/libc.so.1 lib/
cp /lib/libavl.so.1 lib/
cp /usr/lib/libidmap.so.1 lib/
cp /lib/libnsl.so.1 lib/
cp /lib/libuutil.so.1 lib/
cp /lib/libmp.so.2 lib/
cp /lib/libmd.so.1 lib/
cp /lib/libm.so.2 lib/
Now we need to copy to our new "lib" and usr/lib directory
itily@openzooey:~/chroot_example/bin$ cd ..
itily@openzooey:~/chroot_example$ ldd /bin/ls |awk '{print "cp "$3" lib/"}'|bash
itily@openzooey:~/chroot_example$ ls -ltr
total 9
drwxr-xr-x 2 itily staff 2 dic 22 14:37 etc
drwxr-xr-x 2 itily staff 3 dic 22 14:37 bin
drwxr-xr-x 2 itily staff 14 dic 22 14:38 lib
itily@openzooey:~/chroot_example$ cp /usr/lib/libidmap.so.1 usr/lib/
itily@openzooey:~/chroot_example$ cp /usr/lib/ld.so.1 usr/lib/
itily@openzooey:~/chroot_example$ cd lib/
itily@openzooey:~/chroot_example/lib$ ls -l
total 7615
-rwxr-xr-x 1 itily staff 14044 dic 22 14:38 libavl.so.1
-rwxr-xr-x 1 itily staff 1721400 dic 22 14:38 libc.so.1
-rwxr-xr-x 1 itily staff 26748 dic 22 14:38 libcmdutils.so.1
-rwxr-xr-x 1 itily staff 293876 dic 22 14:38 libcurses.so.1
-rwxr-xr-x 1 itily staff 97852 dic 22 14:38 libidmap.so.1
-rwxr-xr-x 1 itily staff 398704 dic 22 14:38 libm.so.2
-rwxr-xr-x 1 itily staff 87164 dic 22 14:38 libmd.so.1
-rwxr-xr-x 1 itily staff 25140 dic 22 14:38 libmp.so.2
-rwxr-xr-x 1 itily staff 648776 dic 22 14:38 libnsl.so.1
-rwxr-xr-x 1 itily staff 74776 dic 22 14:38 libnvpair.so.1
-rwxr-xr-x 1 itily staff 97500 dic 22 14:38 libsec.so.1
-rwxr-xr-x 1 itily staff 49556 dic 22 14:38 libuutil.so.1
itily@openzooey:~/chroot_example/lib$ cd ..
So, the final structure is
itily@openzooey:~/chroot_example$ ls -l
total 12
drwxr-xr-x 2 itily staff 3 dic 22 14:37 bin
drwxr-xr-x 2 itily staff 5 ene 10 20:43 etc
drwxr-xr-x 2 itily staff 14 ene 10 20:48 lib
drwxr-xr-x 3 itily staff 3 ene 10 20:40 usr
Also you need the group, passwd and other files
itily@openzooey:~/chroot_example$ echo "this is a test" > etc/license
itily@openzooey:~/chroot_example$ cd etc/
itily@openzooey:~/chroot_example/etc$ cat /etc/group |grep staff > group
itily@openzooey:~/chroot_example/etc$ cat /etc/passwd |grep itily > passwd
Now you can run the chroot command, but if you try to run as non root you will get the error
itily@openzooey:~$ chroot chroot_example bin/ls /etc
chroot: cannot change root directory to chroot_example: Not owner
So, you need to run as root
itily@openzooey:~$ pfexec chroot chroot_example /bin/ls -l /etc
total 6
-rw-r--r-- 1 101 10 11 Jan 10 19:43 group
-rw-r--r-- 1 101 10 18 Jan 10 19:42 license
-rw-r--r-- 1 101 10 49 Jan 10 19:43 passwd
I hope it's what you are looking for ...
Urko,
Upvotes: 5
Related Questions
- Sandboxing in Linux
- How to create a lightweight C code sandbox?
- PHP Sandbox environment
- Application and libraries "boxing"
- Creating a Drupal Sandbox
- Sandbox shell programs on time
- Sandboxing Mathematica on Unix
- Safe Python Environment in Linux
- Anyway to create a php sandbox for a user to develop in?
- Setting up a sandbox dev environment for Sharepoint