[task #15701] Sandboxing the execution of the project

[Mohammadreza Khellat]

Follow-up Comment #10, task #15701 (project reproduce):

[comment #9 comment #9:]
> If I understand correctly, it requires a log-in by the user and wraps over
their shell. We can't force users to do this! A principle of Maneage is to
have no effect on the host ;-).
>
Yeah as I mentioned, JAIL is a login shell. 
And It is going to be used as the default shell of a user.

I suggest going through the full configuring Jail section. It is a quick easy
read.

But, as I mentioned at the top of my comment, the reason I shared this site is
to see what a *minimal* chroot environment is composed of. 

If you remember, the discussion last time reached this point that we couldn't
do a chroot to the project's folder because some system components didn't
exist in the project folder such as /bin/bash,... 
   
> You also mentioned one-time engagement of root privilege, which we also
can't assume in Maneage.
> 
> Please correct me if I am wrong ;-).
Now getting back to my last argument, imagine the following scenario on a
server:

1- the server admin has created a user for jailed chroot. This user has
/usr/local/bin/jail as its defau;t shell in /etc/passwd or what other user
management system, the server is using.

2- You as an ordinary user login to your own shell.

3- you create a user namespace.

4- inside the user namespace, you login to that user created in step 1 and you
run your project with that user.

Of course, I am not suggesting this in general. Only, as a test in Server
environments and as a very raw idea.

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/task/?15701>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/