Skip to main content

PWD-based privilege separation

I am often tempted to try out a random github project with:

# mkdir random-repo
# cd random-repo
# git clone http://github.com/random-dude/random-repo .
# ./configure && make
[...]
# emacs hack-on-something.cc
# make
However that is naive from a security standpoint. Makefiles can do just about everything to your workstation, e.g. steal your e-banking credentials from .config/chrome. So, I want sandboxing. And I want it in a way that fuses nicely with the workflow above.

Basing sandbox activation on my shell current working directory seems to work quite nicely. Consider the following:

# id -nu
clefru
# echo $PWD
/home/clefru/devel
# pwdjail-mkdir random-repo
# cd random-repo
$ id -nu
random-repo
$ echo $HOME
/home/clefru/devel/random-repo
$ git clone http://github.com/random-dude/random-repo .
$ ./configure && make
[...]
$ cd ..
# echo $PWD
/home/clefru/devel
# id -nu
clefru
# emacs random-repo/src/file.cc
[...]
Notice:
  • I use pwdjail-mkdir instead of mkdir.
  • Entering a subdir beneath /home/clefru/devel/random-repo enters the sandbox
  • Leaving /home/clefru/devel/random-repo leaves the sandbox
In a nutshell, the sandbox concept gets fused with your working directory. I found this to fit nicely with my established working habits, that is chdir-ing into a project directory when doing work there. Let's look at how this works under the hood.

pwdjail-mkdir creates a sandbox user with its home directory set to the directory it has just created. My shell has a hook within chpwd, that when changing into a (sub-)directory of a sandbox user's home directory, the hook spawns a sub-shell via sudo for that sandbox user. The sub-shell also has a hook within chpwd that quits the sub-shell when the sandbox directory is left via another cd. Before quitting though, the sub-shell records the cd target directory and passes it to the outer shell. The outer shell, that is still hanging within its chpwd hook, grabs this target directory and chdirs into it. This completes the illusion that all of this is transparent.

To clean things up, I use pwdjail's version of rm -Ir named pwdjail-rm-Ir, which also removes the sandbox user. Sharing files between the sandbox user and the master user is done by setting a default ACL on the sandbox home directory. I still get mixed file owners if I happen to create files from within the sandbox and create files from the outside, but luckily with Posix ACLs I don't need an explicit step to fix permissions if the other users happens to access a file.

Grab the code from http://github.com/clefru/pwdjail, run pwdjail-setup and you are good to go. I tested this only with zsh, so make sure you have that installed.

Comments

Popular posts from this blog

Liskell standalone

Some time has passed since I last blogged about Liskell. It is not dead nor have I changed my mind that Haskell needs a proper meta-programming facility not to mention a better syntax.Liskell was a branch of GHC once. Now it sits on top of the GHC API, or I should rather say sneaks behind its back as it creates its own API as the original one is not suitable for the stunts I'm interested in. If Liskell sticks with GHC as its soil, I will definitely send patches upstream to refine the GHC API in the areas where it needs more flexibility for Liskell. However for the moment, my main target was to get something out that compiles with a stable version of GHC.You can grab it with the usual: darcs get http://code.haskell.org/liskell/ This version has been tested with ghc 6.10.1 and should install like: ./Setup.lhs configure ./Setup.lhs build ./Setup.lhs install cd LskPrelude make install-inplace Optionally you can run make tests in the testsuite subdirectory. Thanks to community.haskell…

XMonad GridSelect

Personally, I not just need a window manager, I need a focus manager. I tend to think of windows as TODO items, and as there are many TODOs in life there are many windows on my workspaces. Usually a fraction of that can't be closed or worked on immediately, so they linger around on my desktop, cluttering my workspace.I used to use the Tabbed layout. But Tabbed isn't the answer when you are a guy who reports bugs such as "XMonad 0.6 with Tabbed dies when firefox-session-restore slams 40 windows at once on the desktop". In other words, I use a lot of windows. The workspaces concept isn't particularly useful to me either. My mind just doesn't work with mental boxes. So the result is, that I have too few workspaces with too much windows on them, so that Tabbed has trouble displaying useful window titles, and navigating through them is slow and cumbersome (mostly because tab switching generates a lot of useless X Expose events).GridSelect is my answer to that. It…

Removing CHS based access from windows boot loaders

Recently, I had troubles to migrate my Windows installation from VMWare to VirtualBox. When booting the vmware created partition in virtualbox, I got "NTLDR not found". So I sharpened the knives and got down to business with vmware's gdb interface and virtualbox's internal debugger. Tracing the execution showed that the BIOSes of the two products reported different geometries on the INT 13h interface. The generic method contained in the boot loader to read a sector from disk is "clever" as it checks whether the sector is below the maximum sector index that is reachable with the CHS geometry reported by the BIOS. If not, it uses the LBA interface of the BIOS. If yes, the cleverness of the boot loader suddenly vanishes. Instead of using the BIOS reported geometry to break the absolute sector down into its CHS components, the boot loader uses a geometry stored in the so called BIOS parameter block. That's a section of the first sector embedded into the boo…