-1

I'm looking for a way to run multiple python/php apps on one server. Each app in it's own /bob_app folder.

I need for users not to be able to run sth like:

>>> import glob
>>> glob.glob("/*")
['/boot', '/cdrom', '/dev', '/lib64', '/run', '/initrd.img', '/sys', '/media', '/var', '/etc', '/srv', '/initrd.img.old', '/root', '/sbin', '/tmp', '/opt', '/vmlinuz', '/usr', '/home', '/lost+found', '/bin', '/proc', '/lib', '/mnt', '/vmlinuz.old']

Or the php etc equivalent. The apps should only see the contents of the folder they are running in and nothing above that.

Edit: The apps are in docker containers and using a chroot environment within docker is not something I'm sure is the right thing to do.

Jonathan
  • 276
  • 3
  • 13
  • 1
    You've tagged this chroot - perhaps you should investigate that and come back if you have any specific questions. – user9517 Sep 03 '16 at 20:03
  • @lain Thing is, the apps are in docker containers, except that I have sensitive bash setup files and supervisord confs in the docker container that I wouldn't want exposed to the user. Having a chroot environment within a docker container seems multiply redundant. I have to wonder if there's a better way. – Jonathan Sep 03 '16 at 20:33

1 Answers1

0

If you have control of the application, it should not matter if they could see other application paths. If the apps run with different UIDs, you only need to set permissions on the application directory to 700 so that other users can't see their files.

Even if the user can enter paths to resources, you can sanitized the paths they enter. Limit the accepted paths to appropriate directories.

There are a number of methods of providing configuration data securely. You may want to consider using a service repository/registry. If you have passwords or other sensitive data, it should be store in an encrypted format.

BillThor
  • 27,737
  • 3
  • 37
  • 69