|
|
Log in / Subscribe / Register

"Extreme sandboxing"

"Extreme sandboxing"

Posted Nov 5, 2007 16:44 UTC (Mon) by charlieb (guest, #23340)
Parent article: Daniel Bernstein: ten years of qmail security 

In the section "5.2 Isolating single-source transformations" Dan shows how to safely
sandbox(*) a program which does a data transformation (jpegtopnm for example) so that it can
only perform a data transformation. He says: "Existing UNIX tools make this sandbox tolerably
easy for root to create". Which is true. What he doesn't say is that existing UNIX tools don't
allow non-root accounts to create such a safe space.  That greatly limits the usefulness of
those particular techniques - but also could imply a program of future OS development. Why
shouldn't an unprivileged process be able to chdir and chroot to an empty directory?

*) The procedure might be flawed however. I notice that step one sets RLIMIT_NOFILES to zero.
The OpenGroup says that setting zero will produce undefined behaviour
(http://www.opengroup.org/onlinepubs/009695399/functions/g...).

to post comments

"Extreme sandboxing"

Posted Nov 5, 2007 17:22 UTC (Mon) by i3839 (guest, #31386) [Link] 

Linux has seccomp, which a process can enabled via prctl(), but hardly anyone knows about it.
Perhaps it's too secure, as it only enables read/write/exit/sigreturn, and disallows
everything else.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds