| 1 |
Hello, |
| 2 |
|
| 3 |
during the past days I've been working on a path sandbox which prevents |
| 4 |
any user read or write access to specified directory prefixes. Initially |
| 5 |
I worked on code of karltk which makes use of ptrace to trace the system |
| 6 |
calls directly. Due to lack of documentation and obscure beviour I've |
| 7 |
postponed the work on that version. I've therefor started the approach |
| 8 |
of providing alternative implementations of all file functions that are |
| 9 |
offered by glibc. |
| 10 |
|
| 11 |
Attached is a first version of what I've come up with. After |
| 12 |
de-archiving, build the library with 'make -f sandbox.makefile'. You |
| 13 |
should quickly end up with a 'sandbox.so' file. Now just run the sandbox |
| 14 |
by executing './sandbox'. |
| 15 |
|
| 16 |
You should now be in the protected environment. Three environmental |
| 17 |
variables control the behaviour of the sandbox : |
| 18 |
|
| 19 |
SANDBOX_DENY : path prefixes that deny access in every way |
| 20 |
SANDBOX_READ : path prefixes that only allow read |
| 21 |
SANDBOX_WRITE : path prefixes that only allow write |
| 22 |
Note that write permissions don't imply read premissions. |
| 23 |
|
| 24 |
Seperate different entries in the regular way, with colons. |
| 25 |
You can adapt the variables at any time, the sandbox adapts itself |
| 26 |
dynamically. |
| 27 |
|
| 28 |
Since a few shell utilities reset the LD_PRELOAD variable that is needed |
| 29 |
for all this to work, I've created default aliases for 'make' and 'su'. |
| 30 |
This should ensure that the default usage of these commands maintain the |
| 31 |
protected environment. Probably there are other commands that behave |
| 32 |
this way, but I haven't found them yet. |
| 33 |
|
| 34 |
I hope this is of use and I'll start continue testing it and trying to |
| 35 |
measure and enhance its performance. |
| 36 |
|
| 37 |
Best regards, |
| 38 |
|
| 39 |
Geert |
| 40 |
|
| 41 |
-- |
| 42 |
Geert Bevin |
| 43 |
the Leaf sprl/bvba |
| 44 |
"Use what you need" Pierre Theunisstraat 1/47 |
| 45 |
http://www.theleaf.be 1030 Brussels |
| 46 |
gbevin@×××××××.be Tel & Fax +32 2 241 19 98 |
Archives