0

Say I run a program like so:

cd foo && program x y z

How can I give program access to only the directories in foo and below?

Pretend my fs looks like:

$HOME/
  foo/
  bar/
  baz/

if I run program in the foo/ dir, it obviously shouldn't have access to what's in bar/ or baz/, etc.

NOTE: My distro is Ubuntu 16.04 if that makes any difference.

slm
  • 369,824
Alexander Mills
  • 10,002
  • One way - https://unix.stackexchange.com/questions/105/chroot-jail-what-is-it-and-how-do-i-use-it. Might be more work than what you want. – slm Jul 08 '18 at 23:32
  • Related, possible duplicate - https://unix.stackexchange.com/questions/384117/linux-isolate-process-without-containers. – slm Jul 08 '18 at 23:37
  • None of those answers seem very good. Be brave and post one here and collect points. – Alexander Mills Jul 09 '18 at 00:59
  • Here's more resources to look into - https://unix.stackexchange.com/questions/64642/how-to-prevent-a-process-from-writing-files & https://unix.stackexchange.com/questions/6433/how-to-jail-a-process-without-being-root. – slm Jul 09 '18 at 03:47
  • Take a look at this Q, I think it solves your issue - https://unix.stackexchange.com/questions/153665/per-process-private-file-system-mount-points, if so I'd call your Q a duplicate of it. – slm Jul 09 '18 at 14:41
  • its kinda crazy that linux doesnt support this out of the box – Alexander Mills Jul 09 '18 at 17:35
  • 1
    I would argue that it does, that unshare command was on my CentOS 7.x by default. unshare cmd is in util-linux-2.23.2-43.el7_4.2.x86_64. Thats part of defs. I've never contemplated using chroot or any of this directly, usually just go to a docker container instead. – slm Jul 09 '18 at 17:57
  • Why won't standard file system permissions work for you? Simple, well understood, effective. – Chris Davies Jul 09 '18 at 18:05
  • @roaima sure if you can do that in a short bash script, please feel free to demonstrate. What I am looking for is a simple unix feature like so run x, where run is a program that will give the x executable only permissions to directories below cwd, etc. – Alexander Mills Jul 12 '18 at 05:00

1 Answers1

0

This seems like a good answer: https://unix.stackexchange.com/a/384120/113238

so we'd do something like this:

chown app1 /var/lib/myapps/app1
chmod 700 /var/lib/myapps/app1
sudo -u app1 /var/lib/myapps/app1/run.sh

however, I'd to find a solution that does not require sudo.

Alexander Mills
  • 10,002
  • This does not stop the application from accessing (reading) files elsewhere on the system. It only provides a directory that the application can write to, in a fashion very similar to how most daemons are running under special system accounts on most modern Unices. – Kusalananda Jul 12 '18 at 07:03
  • ok I am just looking for answers to the OP that are reasonable, I don't think it should be so hard to find one but it is – Alexander Mills Jul 12 '18 at 07:13
  • This is usually what a chroot is for, executing a process with a displaced root directory. – Kusalananda Jul 12 '18 at 07:25