我可以限制某个进程对某些文件的访问吗?
是否可以在 Linux 中启动一个进程,并限制其对某些文件/目录的访问?例如:
$ start-process --enable-dir=./sandbox --exec="some-script.sh"
some-script.sh
将无法在 ./sandbox
之外执行任何操作。
Is it possible to start a process in Linux, and restrict its access to certain files/directories? For example:
$ start-process --enable-dir=./sandbox --exec="some-script.sh"
some-script.sh
won't be able to do anything outside of ./sandbox
.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您可以使用
chroot
设置进程树的根目录。然而,这意味着该进程的所有依赖项必须在其新根中可用。有许多软件包可以帮助您根据需要设置 chroot 环境。 Google 是你的朋友;)
关于构建 chroot 环境的一些提示
在为某些程序或守护程序构建 chroot 时,你必须为要 chroot 的程序拥有一个完整的环境 。这意味着您必须在目录中提供最小系统。它可能包含:
ldd
或objdump
检查共享库依赖关系。出现的每个库都必须位于您的私有根目录中。对于您需要的每个可执行文件和库,此步骤可能会重复多次。请注意,某些在运行时使用dlopen
显式链接的库需要单独进行检查。/dev
树。/dev
中的一些最小文件,例如random
或zero
。您可以使用 mknod 命令创建它们。请参阅mknod
文档,如下以及有关设备应具有哪些主要/次要编号的 Linux 文档 ./etc
。其中需要的文件有:/
的最小mtab
。组
(同样,不是您的系统组文件)。你必须从某个地方开始,所以最好从你的程序的先决条件开始。有关详细信息,请参阅您的文档。
You can use
chroot
to set the root directory of your process tree. This means however, that all dependencies of that process must be available in it's new root.There are a number of packages that can help you setup chroot-environments for your needs. Google is your friend ;)
Some pointers on building a chroot environment
When builing a chroot for some program or daemon you have to have a complete environment for the program you want to chroot. This means you have to provide a minimum system in a directory. That might contain:
ldd
orobjdump
. Every library that appears has to be in your private root directory. This step might be repeated several times for every executable and library you need. Note that some libraries, which are linked explicitly at runtime usingdlopen
need to be checked separately./dev
tree./dev
such asrandom
orzero
. You can create those with themknod
command. Please refer to themknod
documentation, as well as the linux documentation on which major/minor numbers which device should have./etc
. Files needed therein are:mtab
containing/
.group
(again, not your system group file).You have to start somewhere, so it's best to start with the prerequisites for you program. Refer to your documentation for specifics.
通常,您希望
chroot
进程,以便它只能访问目录及其子目录,并且只能执行一些定义的命令。请参阅如何 chroot。
Typically you want to
chroot
the process, so that it can only access a directory and its sub-directories, and only execute some defined commands.See How to chroot.