๐ Limit a process to a specific directory (and sub-directories)?
๐ก Newskategorie: Linux Tipps
๐ Quelle: reddit.com
Suppose I want to run a script, a command or a generic executable. Is there a way to prevent said process accessing files outside the current working directory?
I know there is chroot, but it's not very ergonomic because one has to prepare the virtual environment with all the dependencies.
macOS has a nice (but limited) feature that restricts access to common user directories (desktop, documents and so on) showing a dialog the first time a process is trying to access something inside these folders.
I guess I'm looking for a sandbox runtime like the one provided by deno and its Permission API
It is probably possible to achieve something similar using docker containers and mounting only specific volumes, I tried this by it wasn't good enough, the configuration wasn't trivial.
I'm wondering if there is something at the system level to achieve this with as little overhead as possible, both in terms of resources and time to configure.
โ
For those interested in the "Why": when a user launches a process, it runs with the user permissions by default, thus it's able to read from (and write to) the file system just like a user is. This is something that really makes me uncomfortable because it means a malicious script/program can easily steal my ssh keys, not to mention all my personal and/or confidential data.
[link] [comments] ...