Creating temporary sandbox environment in unix_问答_开发者

Just wondering is there any 开发者_开发问答way to create a temporary sandbox environment for running commands?

My requirement is that i am hosting a webservice in unix and i need to execute a commanline tool to return output to the webservice client. since i am passing the values received from the client to the commanline tool, i would like to execute the commands in sandboxed environment.

I'm not sure but, you can try to use the "chroot" command to create new "root" enviroment, for example,

If you have the directory structure and you want to "protect" the "license" file,

/
/etc
 + license
/bin
 + ls
/lib
 + ...

You can create a chroot enviroment as

itily@openzooey:~$ mkdir chroot_example
itily@openzooey:~$ cd chroot_example/
itily@openzooey:~/chroot_example$ mkdir -p usr/lib lib bin etc
itily@openzooey:~/chroot_example$ cd bin/
itily@openzooey:~/chroot_example/bin$ cp /bin/ls .
itily@openzooey:~/chroot_example/bin$ ldd ls 
        libsec.so.1 =>   /lib/libsec.so.1
        libnvpair.so.1 =>        /lib/libnvpair.so.1
        libcmdutils.so.1 =>      /lib/libcmdutils.so.1
        libcurses.so.1 =>        /lib/libcurses.so.1
        libc.so.1 =>     /lib/libc.so.1
        libavl.so.1 =>   /lib/libavl.so.1
        libidmap.so.1 =>         /usr/lib/libidmap.so.1
        libnsl.so.1 =>   /lib/libnsl.so.1
        libuutil.so.1 =>         /lib/libuutil.so.1
        libmp.so.2 =>    /lib/libmp.so.2
        libmd.so.1 =>    /lib/libmd.so.1
        libm.so.2 =>     /lib/libm.so.2

Now populate the "shared lib" required by the ls command (using the ldd we know which are the required shared libs

itily@openzooey:~/chroot_example/bin$ ldd ls |awk '{print "cp "$3" lib/"}'
cp /lib/libsec.so.1 lib/
cp /lib/libnvpair.so.1 lib/
cp /lib/libcmdutils.so.1 lib/
cp /lib/libcurses.so.1 lib/
cp /lib/libc.so.1 lib/
cp /lib/libavl.so.1 lib/
cp /usr/lib/libidmap.so.1 lib/
cp /lib/libnsl.so.1 lib/
cp /lib/libuutil.so.1 lib/
cp /lib/libmp.so.2 lib/
cp /lib/libmd.so.1 lib/
cp /lib/libm.so.2 lib/

Now we need to copy to our new "lib" and usr/lib directory

itily@openzooey:~/chroot_example/bin$ cd ..
itily@openzooey:~/chroot_example$ ldd /bin/ls |awk '{print "cp "$3" lib/"}'|bash 
itily@openzooey:~/chroot_example$ ls -ltr
total 9
drwxr-xr-x   2 itily    staff          2 dic 22 14:37 etc
drwxr-xr-x   2 itily    staff          3 dic 22 14:37 bin
drwxr-xr-x   2 itily    staff         14 dic 22 14:38 lib

itily@openzooey:~/chroot_example$ cp /usr/lib/libidmap.so.1 usr/lib/
itily@openzooey:~/chroot_example$ cp /usr/lib/ld.so.1 usr/lib/
itily@openzooey:~/chroot_example$ cd lib/
itily@openzooey:~/chroot_example/lib$ ls -l
total 7615
-rwxr-xr-x   1 itily    staff      14044 dic 22 14:38 libavl.so.1
-rwxr-xr-x   1 itily    staff    1721400 dic 22 14:38 libc.so.1
-rwxr-xr-x   1 itily    staff      26748 dic 22 14:38 libcmdutils.so.1
-rwxr-xr-x   1 itily    staff     293876 dic 22 14:38 libcurses.so.1
-rwxr-xr-x   1 itily    staff      97852 dic 22 14:38 libidmap.so.1
-rwxr-xr-x   1 itily    staff     398704 dic 22 14:38 libm.so.2
-rwxr-xr-x   1 itily    staff      87164 dic 22 14:38 libmd.so.1
-rwxr-xr-x   1 itily    staff      25140 dic 22 14:38 libmp.so.2
-rwxr-xr-x   1 itily    staff     648776 dic 22 14:38 libnsl.so.1
-rwxr-xr-x   1 itily    staff      74776 dic 22 14:38 libnvpair.so.1
-rwxr-xr-x   1 itily    staff      97500 dic 22 14:38 libsec.so.1
-rwxr-xr-x   1 itily    staff      49556 dic 22 14:38 libuutil.so.1
itily@openzooey:~/chroot_example/lib$ cd ..

So, the final structure is

itily@openzooey:~/chroot_example$ ls -l
total 12
drwxr-xr-x   2 itily    staff          3 dic 22 14:37 bin
drwxr-xr-x   2 itily    staff          5 ene 10 20:43 etc
drwxr-xr-x   2 itily    staff         14 ene 10 20:48 lib
drwxr-xr-x   3 itily    staff          3 ene 10 20:40 usr

Also you need the group, passwd and other files

itily@openzooey:~/chroot_example$ echo "this is a test" > etc/license
itily@openzooey:~/chroot_example$ cd etc/
itily@openzooey:~/chroot_example/etc$ cat /etc/group |grep staff > group
itily@openzooey:~/chroot_example/etc$ cat /etc/passwd |grep itily > passwd

Now you can run the chroot command, but if you try to run as non root you will get the error

itily@openzooey:~$ chroot chroot_example bin/ls /etc
chroot: cannot change root directory to chroot_example: Not owner

So, you need to run as root

itily@openzooey:~$ pfexec chroot chroot_example /bin/ls -l /etc
total 6
-rw-r--r--   1 101      10            11 Jan 10 19:43 group
-rw-r--r--   1 101      10            18 Jan 10 19:42 license
-rw-r--r--   1 101      10            49 Jan 10 19:43 passwd

I hope it's what you are looking for ...

Urko,

You didn't say which Unix. Solaris zones do that easily. Here's an example how to set one up:

http://www.solarisinternals.com/wiki/index.php/Zones

I routinely develop in sandboxes in Debian Linux and like to use chroots so that I don't destroy my host machine in case I do something stupid by accident (which happens a lot). I put together a set of scripts for Debian and Ubuntu for me to create chroots (both cross-distro and x86 in x86-64) which you may find helpful.

https://github.com/vtonehundred/vroot