C ++,LINUX:如何限制功能访问文件系统? [英] C++, linux: how to limit function access to file system?
问题描述
我们的应用程序是从SU或普通用户运行。我们有我们连接到我们的项目库。该库有我们要调用一个函数。我们有一个名为 notRestricted 在我们运行应用程序的目录文件夹。我们创建了一个新的线程。我们希望限制的线程的访问文件系统。我们想要做的很简单 - 调用该函数,但限制其访问只写该文件夹(我们preFER让它从任何地方读取应用程序可以读取)。
Our app is ran from SU or normal user. We have a library we have connected to our project. In that library there is a function we want to call. We have a folder called notRestricted in the directory where we run application from. We have created a new thread. We want to limit access of the thread to file system. What we want to do is simple - call that function but limit its access to write only to that folder (we prefer to let it read from anywhere app can read from).
更新:的
因此,我认为,有没有方法来禁用所有FS只有一个线程,但在一个文件夹...
Update: So I see that there is no way to disable only one thread from all FS but one folder...
我看了你的亲爱的命题,因此用户并张贴某种<一个href=\"http://unix.stackexchange.com/questions/15078/terminal-command-called-not-from-su-that-would-restrict-process-from-writting-t\">analog这个问题在这里,以便在那里大公给了我们一个链接沙盒使用不是一个坏的API ,但我不真正知道它是否会在anething但GentOS工作(但无论如何这样的脚本看起来使用的 Boost.Process命令行来运行它,不是运行所需的前线程(迁移到seprate应用=))。
I read your propositions dear SO users and posted some kind of analog to this question here so in there thay gave us a link to sandbox with not a bad api, but I do not really know if it would work on anething but GentOS (but any way such script looks quite intresting in case of using Boost.Process command line to run it and than run desired ex-thread (which migrated to seprate application=)).
推荐答案
是不是真的有什么办法可以prevent一个线程,因为它在相同的进程空间你是的,除了像黑客挂钩函数的方法来检测任何类型的文件系统访问。
There isn't really any way you can prevent a single thread, because its in the same process space as you are, except for hacking methods like function hooking to detect any kind of file system access.
也许你会想重新思考你是如何实现你的应用程序 - 有本地不可信code运行苏不完全是一个好主意。也许用另一个进程,并通过交流。 RPC,或者使用内部preTED语言,你可以在运行时核对。
Perhaps you might like to rethink how you're implementing your application - having native untrusted code run as su isn't exactly a good idea. Perhaps use another process and communicate via. RPC, or use a interpreted language that you can check against at run time.
这篇关于C ++,LINUX:如何限制功能访问文件系统?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
