0

Say I run a program like so:

cd foo && program x y z

How can I give program access to only the directories in foo and below?

Pretend my fs looks like:

$HOME/
  foo/
  bar/
  baz/

if I run program in the foo/ dir, it obviously shouldn't have access to what's in bar/ or baz/, etc.

NOTE: My distro is Ubuntu 16.04 if that makes any difference.

slm
  • 363,520
  • 117
  • 767
  • 871
Alexander Mills
  • 9,330
  • 19
  • 95
  • 180
  • One way - https://unix.stackexchange.com/questions/105/chroot-jail-what-is-it-and-how-do-i-use-it. Might be more work than what you want. – slm Jul 08 '18 at 23:32
  • Related, possible duplicate - https://unix.stackexchange.com/questions/384117/linux-isolate-process-without-containers. – slm Jul 08 '18 at 23:37
  • None of those answers seem very good. Be brave and post one here and collect points. – Alexander Mills Jul 09 '18 at 00:59
  • Here's more resources to look into - https://unix.stackexchange.com/questions/64642/how-to-prevent-a-process-from-writing-files & https://unix.stackexchange.com/questions/6433/how-to-jail-a-process-without-being-root. – slm Jul 09 '18 at 03:47
  • Take a look at this Q, I think it solves your issue - https://unix.stackexchange.com/questions/153665/per-process-private-file-system-mount-points, if so I'd call your Q a duplicate of it. – slm Jul 09 '18 at 14:41
  • its kinda crazy that linux doesnt support this out of the box – Alexander Mills Jul 09 '18 at 17:35
  • 1
    I would argue that it does, that `unshare` command was on my CentOS 7.x by default. `unshare` cmd is in `util-linux-2.23.2-43.el7_4.2.x86_64`. Thats part of defs. I've never contemplated using `chroot` or any of this directly, usually just go to a `docker` container instead. – slm Jul 09 '18 at 17:57
  • Why won't standard file system permissions work for you? Simple, well understood, effective. – roaima Jul 09 '18 at 18:05
  • @roaima sure if you can do that in a short bash script, please feel free to demonstrate. What I am looking for is a simple unix feature like so `run x`, where `run` is a program that will give the `x` executable only permissions to directories below cwd, etc. – Alexander Mills Jul 12 '18 at 05:00

1 Answers1

0

This seems like a good answer: https://unix.stackexchange.com/a/384120/113238

so we'd do something like this:

chown app1 /var/lib/myapps/app1
chmod 700 /var/lib/myapps/app1
sudo -u app1 /var/lib/myapps/app1/run.sh

however, I'd to find a solution that does not require sudo.

Alexander Mills
  • 9,330
  • 19
  • 95
  • 180
  • This does not stop the application from _accessing_ (reading) files elsewhere on the system. It only provides a directory that the application can write to, in a fashion very similar to how most daemons are running under special system accounts on most modern Unices. – Kusalananda Jul 12 '18 at 07:03
  • ok I am just looking for answers to the OP that are reasonable, I don't think it should be so hard to find one but it is – Alexander Mills Jul 12 '18 at 07:13
  • This is usually what a chroot is for, executing a process with a displaced root directory. – Kusalananda Jul 12 '18 at 07:25