在运行时安全地正确运行二进制文件(seteuid 等)
因此,如果我想在 fork 后在子进程上使用 exec() 运行二进制文件,但又想将其文件访问限制为仅对某个目录,那么如何安全地做到这一点呢?
这是否涉及在 unix/linux 中创建一个新用户,然后将 uid 设置为该用户?或者这是否需要创建一个组(例如 webapps)然后使用 setguid?
当然,可以按原样运行二进制文件,但采取一些安全预防措施似乎从来不是一个坏主意。
So if I want to run a binary using exec() on a child process after fork, but want to restrict its file access to a certain directory only, how does one safely do that?
Does this involve of creating a new user in unix/linux, and then setting the uid to that user?Or would this require creating a group (say, webapps) and then using setguid?
Of course, one can just run the binary as is, but it seems that taking some precautions with security is never a bad idea.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我会看一下 chroot。这是分离系统各部分的相对简单的方法。
简而言之:您更改特定进程的根目录,因此该进程的 /path/to/working/dir 现在是 / 。当然,您必须将所有必需的内容(实用程序、库、配置)添加到此文件夹中。
I'd take a look at chroot. It a relatively easy way to separate parts of your system.
In a nutshell: you change the root for a particular process, so /path/to/working/dir is now / for that process. Of course you have to add everything that is necessary (utilities, libraries, configuration) to this folder.