drnbotxo449747
drnbotxo449747
2016-03-12 19:17

有没有办法去chroot / sandbox进行os.exec调用(防止rm -rf /)

已采纳

I want to test/automate some repositories, the basic flow is something like:

repos := []string{"repo 1", "repo 2", ...}
for r := range repos {
    // git clone the repo 
    // cd repo dir
    // make test
    // make build
    // ...
}

I am doing this with GO using os.exec to call the all the series of commands, something like:

 exec.Command("sh", "-c", "git clone project")

So far so good, but I would like to know if there is a way to secure/protect against something miswriting on the Makefile that could be doing something like rm -rf /. and break my host.

Basically I would like to use the system libraries/tools but restrict/chroot only the output to a specific workdir, so that I can avoid pre-build a chroot for this.

A working solution is to use a FreeBSD jail, but I would like to know if there an alternative/secure way of doing this without the need of containers,virtualbox,etc; and using a basic Mac OS X workstation. so that anyone could "safely" run & test without worries.

Any ideas ?

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

1条回答

  • doukuanyong1939 doukuanyong1939 5年前

    You should be fine using os.Setuid/os.Setgid (example.go):

    package main

import (
    "log"
    "flag"
    "os"
    "os/exec"
    "syscall"
)

func main() {
    var oUid = flag.Int("uid", 0, "Run with User ID")
    var oGid = flag.Int("gid", 0, "Run with Group ID")
    flag.Parse()

    // Get UID/GUID from args
    var uid = *oUid
    var gid = *oGid

    // Run whoami
    out, err := exec.Command("whoami").Output()
    if err != nil {
        log.Fatal(err)
        return
    }

    // Output whoami
    log.Println("Original UID/GID whoami:", string(out))
    log.Println("Setting UID/GUID")

    // Change privileges
    err = syscall.Setgid(gid)
    if err != nil {
        log.Println("Cannot setgid")
        log.Fatal(err)
        return
    }

    err = syscall.Setuid(uid)
    if err != nil {
        log.Println("Cannot setuid")
        log.Fatal(err)
        return
    }

    // Execute whoami again
    out, err = exec.Command("whoami").Output()
    if err != nil {
        log.Fatal(err)
        return
    }
    log.Println("Changed UID/GID whoami:", string(out))


    // Do some dangerous stuff
    log.Println("Creating a executable file within /bin should fail...")
    _, err = os.Create("/bin/should-fail")
    if err == nil {
        log.Println("Warning: operation did not fail")
        return
    }

    log.Println("We are fine", err)
}

    I would also recommend to read about setting gid/uid properly (https://unix.stackexchange.com/questions/166817/using-the-setuid-bit-properly, in C). Oh! its needed to set gid before uid, because the example fails if you don't do so.

    You should execute example.go with root privileges and specify unprivileged gid/uid to the command with flags -gid,-uid respectively.

    sudo go run example.go -uid <unprivileged id> -gid <unprivileged id>
    点赞 评论 复制链接分享
提交

为你推荐