[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[task #15701] Sandboxing the execution of the project
From: |
Mohammad Akhlaghi |
Subject: |
[task #15701] Sandboxing the execution of the project |
Date: |
Sun, 5 Jul 2020 16:13:18 -0400 (EDT) |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 |
Follow-up Comment #6, task #15701 (project reproduce):
Very nice summary Mohammad-reza, I really enjoyed reading it and also learnt a
lot!
As an initial test, I made a 'temporary' directory in my home account on one
of our servers. Just to confirm that 'chroot' doesn't work, I tried
'chroot'ing to it and got an "Operation not permitted" result:
$ chroot temporary/
chroot: cannot change root directory to 'temporary/': Operation not permitted
Then I started following your examples. The first command worked and I became
"nobody":
[me@server ~]$ unshare -U bash
[nobody@server ~]$
The second command also worked and I became "root":
[me@server ~]$ unshare -U -r bash
[root@server ~]$
The third command also worked, just to confirm that this root is fake, I also
tried going to the root directory and writing something there:
[me@server ~]$ unshare -U -r -m bash
[root@server ~]$ cd /
[root@server /]$ echo "test" > test.txt
bash: test.txt: Permission denied
Then, in my home directory, I ran the first 'chroot' command above and this
time it didn't complain about permissions any more (so it passed that phase!).
But it complained about not finding '/bin/bash' in the newly rooted directory
(which was expected because the directory was empty!):
[root@server ~]$ chroot temporary/
chroot: failed to run command ‘/bin/bash’: No such file or directory
So this does seem like a promising path! What do others think?
'unshare' is part of 'util-linux', which also builds on macOS. I really wonder
how this would work on macOS. Raul, if you get the chance later, can you try
it out?
But over-all, as you said, if we can do a 'chroot', then the next step would
be task #15390 (Installing GNU C Library within project). Fortunately some
good progress has been made on that front, with the basic Make recipes being
written for a successful ly usable C library, but there is still some work
necessary to for the later parts of that task...
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/task/?15701>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
- [task #15701] Sandboxing the execution of the project, Mohammadreza Khellat, 2020/07/05
- [task #15701] Sandboxing the execution of the project,
Mohammad Akhlaghi <=
- [task #15701] Sandboxing the execution of the project, Mohammad Akhlaghi, 2020/07/05
- [task #15701] Sandboxing the execution of the project, Mohammadreza Khellat, 2020/07/29
- [task #15701] Sandboxing the execution of the project, Mohammad Akhlaghi, 2020/07/29
- [task #15701] Sandboxing the execution of the project, Mohammadreza Khellat, 2020/07/29
- [task #15701] Sandboxing the execution of the project, Mohammad Akhlaghi, 2020/07/29
- [task #15701] Sandboxing the execution of the project, Mohammadreza Khellat, 2020/07/30
- [task #15701] Sandboxing the execution of the project, Mohammad Akhlaghi, 2020/07/30