Difference between revisions of "Sandbox Process Isolation in Linux"

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search
(Created page with "Terms: jail, chroot jail, sandbox, Linux Containers: http://lxc.sourceforge.net/ Containers which offer an environment as close as possible as the one you'd get from a VM b...")
 
(No difference)

Latest revision as of 07:40, 24 July 2020

Terms: jail, chroot jail, sandbox,

Linux Containers: http://lxc.sourceforge.net/

Containers which offer an environment as close as possible as the one you'd get from a VM but without the overhead that comes with running a separate kernel and simulating all the hardware.

Note that LXC isn't enough for everything. For example, if the application has access to an X server, it can do pretty much everything to other applications running on the same X server.

chroot Jail

  • a chroot operation changes the apparent root directory for a running process and its children.
  • the program (process) will run with a root directory other than /.
  • the program (process) cannot see or access files outside the designated directory tree.
  • the fake root directory is known as the chroot jail
  • limitation, the chroot root user can still create device nodes and mount the file systems on them.

Set up your chroot jail...

chroot /home/nicolep/chjail

The fake root directory for the program(s) will be /home/nicolep/chjail which will appear as the fs / root to the process. However, the chjail root is empty with no binary operating system external commands (such as those in /bin)

mkdir /home/nicolep/chjail/bin
cp /bin/bash /home/nicolep/chjail/bin

Find dynamic links and manually copy them also. You can see dynamic links

ldd /bin/bash

Now supply all the other bash shell commands to the chroot jail you require