我可以在特定过程中限制对某些文件的访问吗? [英] Can I restrict access to certain files for a certain process?

问题描述

是否可以在Linux中启动进程，并限制其对某些文件/目录的访问?例如:

Is it possible to start a process in Linux, and restrict its access to certain files/directories? For example:

$ start-process --enable-dir=./sandbox --exec="some-script.sh"

some-script.sh将无法执行./sandbox以外的任何操作.

some-script.sh won't be able to do anything outside of ./sandbox.

推荐答案

您可以使用 chroot 设置进程树的根目录.但是，这意味着该进程的所有依赖项必须在其新的根目录中可用.

You can use chroot to set the root directory of your process tree. This means however, that all dependencies of that process must be available in it's new root.

有许多软件包可以帮助您根据需要设置chroot环境. Google是您的朋友；)

有关构建chroot环境的一些提示

为某些程序或守护程序构建chroot时，必须为要 chroot 的程序提供完整的环境.这意味着您必须在目录中提供最小系统.其中可能包含:

When builing a chroot for some program or daemon you have to have a complete environment for the program you want to chroot. This means you have to provide a minimum system in a directory. That might contain:

• 一个shell和一些shell实用程序，或者busybox的一种变体. (如果您不打算部署单个静态可执行文件，那么这也包括下一步).
• Libc和其他从属共享库.
  • 您需要使用ldd或objdump检查共享库的依赖性.出现的每个库都必须位于您的 private 根目录中.对于您需要的每个可执行文件和库，此步骤可能会重复几次.请注意，某些在运行时使用dlopen显式链接的库需要分别 进行检查.
  • A shell and some shell utilities, or a variant of busybox. (this encompasses the next step too, if you aren't planning on deploying one single static executable that is).
  • Libc and other dependent shared libraries.
    • You need to check shared library dependencies using ldd or objdump. Every library that appears has to be in your private root directory. This step might be repeated several times for every executable and library you need. Note that some libraries, which are linked explicitly at runtime using dlopen need to be checked separately.
    • 如果计划使用chroot守护进程，则很可能需要/dev中的一些最小文件，例如random或zero.您可以使用mknod命令创建它们.请参考mknod 文档以及linux文档关于哪个设备应该拥有的哪个主要/次要编号.
    • If you plan to chroot a daemon process this may well be needing some minimal files in /dev such as random or zero. You can create those with the mknod command. Please refer to the mknod documentation, as well as the linux documentation on which major/minor numbers which device should have.
    • 最小的密码和阴影(不是您的系统密码/阴影).
    • 包含/的最小mtab.
    • 最小的group(同样，不是您的系统组文件).
    • A minimal passwd and shadow (not your system passwd/shadow).
    • A minimal mtab containing /.
    • A minimal group (again, not your system group file).

    您必须从某个地方开始，所以最好从编程的先决条件开始.有关详细信息，请参见您的文档.

    You have to start somewhere, so it's best to start with the prerequisites for you program. Refer to your documentation for specifics.

    这篇关于我可以在特定过程中限制对某些文件的访问吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！