Search code examples
unixsandbox

Creating temporary sandbox environment in unix

Just wondering is there any way to create a temporary sandbox environment for running commands?

My requirement is that i am hosting a webservice in unix and i need to execute a commanline tool to return output to the webservice client. since i am passing the values received from the client to the commanline tool, i would like to execute the commands in sandboxed environment.

Solution

  • I'm not sure but, you can try to use the "chroot" command to create new "root" enviroment, for example,

    If you have the directory structure and you want to "protect" the "license" file,

    /
/etc
 + license
/bin
 + ls
/lib
 + ...

    You can create a chroot enviroment as

    itily@openzooey:~$ mkdir chroot_example
itily@openzooey:~$ cd chroot_example/
itily@openzooey:~/chroot_example$ mkdir -p usr/lib lib bin etc
itily@openzooey:~/chroot_example$ cd bin/
itily@openzooey:~/chroot_example/bin$ cp /bin/ls .
itily@openzooey:~/chroot_example/bin$ ldd ls 
        libsec.so.1 =>   /lib/libsec.so.1
        libnvpair.so.1 =>        /lib/libnvpair.so.1
        libcmdutils.so.1 =>      /lib/libcmdutils.so.1
        libcurses.so.1 =>        /lib/libcurses.so.1
        libc.so.1 =>     /lib/libc.so.1
        libavl.so.1 =>   /lib/libavl.so.1
        libidmap.so.1 =>         /usr/lib/libidmap.so.1
        libnsl.so.1 =>   /lib/libnsl.so.1
        libuutil.so.1 =>         /lib/libuutil.so.1
        libmp.so.2 =>    /lib/libmp.so.2
        libmd.so.1 =>    /lib/libmd.so.1
        libm.so.2 =>     /lib/libm.so.2

    Now populate the "shared lib" required by the ls command (using the ldd we know which are the required shared libs

    itily@openzooey:~/chroot_example/bin$ ldd ls |awk '{print "cp "$3" lib/"}'
cp /lib/libsec.so.1 lib/
cp /lib/libnvpair.so.1 lib/
cp /lib/libcmdutils.so.1 lib/
cp /lib/libcurses.so.1 lib/
cp /lib/libc.so.1 lib/
cp /lib/libavl.so.1 lib/
cp /usr/lib/libidmap.so.1 lib/
cp /lib/libnsl.so.1 lib/
cp /lib/libuutil.so.1 lib/
cp /lib/libmp.so.2 lib/
cp /lib/libmd.so.1 lib/
cp /lib/libm.so.2 lib/

    Now we need to copy to our new "lib" and usr/lib directory

    itily@openzooey:~/chroot_example/bin$ cd ..
itily@openzooey:~/chroot_example$ ldd /bin/ls |awk '{print "cp "$3" lib/"}'|bash 
itily@openzooey:~/chroot_example$ ls -ltr
total 9
drwxr-xr-x   2 itily    staff          2 dic 22 14:37 etc
drwxr-xr-x   2 itily    staff          3 dic 22 14:37 bin
drwxr-xr-x   2 itily    staff         14 dic 22 14:38 lib

itily@openzooey:~/chroot_example$ cp /usr/lib/libidmap.so.1 usr/lib/
itily@openzooey:~/chroot_example$ cp /usr/lib/ld.so.1 usr/lib/
itily@openzooey:~/chroot_example$ cd lib/
itily@openzooey:~/chroot_example/lib$ ls -l
total 7615
-rwxr-xr-x   1 itily    staff      14044 dic 22 14:38 libavl.so.1
-rwxr-xr-x   1 itily    staff    1721400 dic 22 14:38 libc.so.1
-rwxr-xr-x   1 itily    staff      26748 dic 22 14:38 libcmdutils.so.1
-rwxr-xr-x   1 itily    staff     293876 dic 22 14:38 libcurses.so.1
-rwxr-xr-x   1 itily    staff      97852 dic 22 14:38 libidmap.so.1
-rwxr-xr-x   1 itily    staff     398704 dic 22 14:38 libm.so.2
-rwxr-xr-x   1 itily    staff      87164 dic 22 14:38 libmd.so.1
-rwxr-xr-x   1 itily    staff      25140 dic 22 14:38 libmp.so.2
-rwxr-xr-x   1 itily    staff     648776 dic 22 14:38 libnsl.so.1
-rwxr-xr-x   1 itily    staff      74776 dic 22 14:38 libnvpair.so.1
-rwxr-xr-x   1 itily    staff      97500 dic 22 14:38 libsec.so.1
-rwxr-xr-x   1 itily    staff      49556 dic 22 14:38 libuutil.so.1
itily@openzooey:~/chroot_example/lib$ cd ..

    So, the final structure is

    itily@openzooey:~/chroot_example$ ls -l
total 12
drwxr-xr-x   2 itily    staff          3 dic 22 14:37 bin
drwxr-xr-x   2 itily    staff          5 ene 10 20:43 etc
drwxr-xr-x   2 itily    staff         14 ene 10 20:48 lib
drwxr-xr-x   3 itily    staff          3 ene 10 20:40 usr

    Also you need the group, passwd and other files 

    itily@openzooey:~/chroot_example$ echo "this is a test" > etc/license
itily@openzooey:~/chroot_example$ cd etc/
itily@openzooey:~/chroot_example/etc$ cat /etc/group |grep staff > group
itily@openzooey:~/chroot_example/etc$ cat /etc/passwd |grep itily > passwd

    Now you can run the chroot command, but if you try to run as non root you will get the error

    itily@openzooey:~$ chroot chroot_example bin/ls /etc
chroot: cannot change root directory to chroot_example: Not owner

    So, you need to run as root

    itily@openzooey:~$ pfexec chroot chroot_example /bin/ls -l /etc
total 6
-rw-r--r--   1 101      10            11 Jan 10 19:43 group
-rw-r--r--   1 101      10            18 Jan 10 19:42 license
-rw-r--r--   1 101      10            49 Jan 10 19:43 passwd

    I hope it's what you are looking for ...

    Urko,