chroot alternative

Question

I'm working on a webapp (running on an Ubuntu server) that will allow the user to run Octave code (basically Matlab). However, I only want them to be able to read or modify folders in their designated home folder.

I know chroot is one way of doing this, but it's insecure and you need root privileges to chroot (which ideally the app won't need).

Also, I could read the user's code before running and throw an error if they try to write to a file, but for that I'd need to think of EVERY way the user might break my rules in order to prevent it.

I've looked at Linux-VServer but that would require a separate virtual server for each user (unless I'm mistaken).

edit: I could set up an SSH connection and jail the connection, but that seems unnecessarily resource-greedy.

Is there a way I could jail a user or process to a particular folder without using chroot?

Answer 1

The unshare() system call was added to Linux in kernel 2.6.16+.

To chroot to rootfs directory ./target/ and run /bin/bash as non-root user you can do:

unshare -r sh -c 'chroot ./target/ /bin/bash'

It usually works better, than:

fakechroot fakeroot chroot ./target/ /bin/bash

And even simpler, than:

LD_LIBRARY_PATH=./target/lib:./target/usr/lib:./target/lib64:./target/lib/x86_64-linux-gnu:./target/usr/lib/x86_64-linux-gnu ./target/bin/bash #or ld-linux.so.2 --library-path ... ./target/bin/bash

P.S.: But you must mount bind something within ./target before chroot, if you want to communicate with parent rootfs.