chmod - change permissions on a file

Question

I have a Python virtualenv, and the Python executable is located in the /bin directory. In this virtualenv I'll have to execute some unsafe code, that can damage my system. I tried to chmod a-r on the virtualenv, and now nobody can write there, but its parent directory is now unprotected.
So I thought I could change permissions on /bin/python, so that it can write nowhere, how can I do this?
I tried chmod a-r bin/python but it is still allowed to remove files and directories even outside the env.

Did the answers to your other question here answer this one? — Mat, Nov 12 '11 at 14:58

score 2 · Accepted Answer · edited Apr 13 '17 at 12:37

2

Firstly, chmod a-r bin/python does not prevent python to remove files. It prevents anyone not owner or not in the correct group to read that file.

If you wish to run unsafe code in a "jail", I suggest using chroot jail. Bear in mind that in order for chroot to run effectively, python executable should not be ran under root privileges.

edited Apr 13 '17 at 12:37

Community

1

answered Nov 12 '11 at 15:26

bbaja42

2,800

As is emphasized on the page you link to, chroot doesn't provide the security that BSD jails do, and it might help if we stopped talking informally of "chroot jails". (AFAIK no-one uses that phrase officially either.) If the code might be malicious and deliberately try to escape a chroot, this won't give you any protection. But there are many use cases where that's not a concern; you just want to protect against possibly broken code, etc. In those cases a chroot is a good solutions. – dubiousjim Jan 12 '13 at 13:21

score 1 · Answer 2 · answered Nov 12 '11 at 15:33

1

Python will run with the permissions of the user that invokes it, so you will never be able to limit what it can touch, manipulate and read.

answered Nov 12 '11 at 15:33

Tim

6,141

score 1 · Answer 3 · 2013-01-12T12:31:24.720

Actually, chmod a-r bin/python prevents the file's owner, those in the file's group, and all other users from reading the file (except the superuser of course). chmod o-r bin/python would prevent all users except the owner and those in the file's group from reading the file. The file permissions of an executable do not affect its ability to read or edit other files. File permissions only determine which users can read, write, and execute the files to which they are applied (and a few other things).

score 0 · Answer 4 · answered Jun 03 '14 at 09:09

I see several options:

Use a virtual machine
Run inside a chroot
Run under a different user
Restrict with a LKM like apparmor.

they are compatible, so you could apply several ones.

As mentioned above, a chroot or a different user won't aboid network (ab)usage.

Additionally, note that the restrictions imposed on /usr/bin/python will affect all the python programs you run. You may be interested in using a different filename for locking down without affecting the rest of the system.

chmod - change permissions on a file

4 Answers4