0

I've written an API which I would like to be able to write directly on the computers of my users. The API is already able to push onto git repositories, but I would like a more direct way.

For this purpose, I'm writing a rabbitmq worker, that each user will have to install. I plan 1 rabbitmq login per 1 user. Also 1 rabbitmq channel per 1 user. I want to prevent users from writing to each others' rabbitmq queues.

The worker will be launched via my-worker-ctl start $userName $userKey. The user will be able to specify in which folders the worker can work, for example my-worker-ctl set-project-root $myProjectName $folder.

Folders in which the project are created are generally owned by the $USER or www-data group.

I would like to know if there is a way to limit the worker's access to only its installation dir AND the registered directories (my-worker-ctl set-project-root). My goal is to prevent the API from writing to the user's other folders, in case the API is breached. By doing this, the API will not be a security hole.

PS: the clients will be only under Linux OS, I won't do a worker version for other OSes.

kubanczyk
  • 13,812
  • 5
  • 41
  • 55
Pierre Emmanuel Lallemant
  • 61
  • 1
  • 7
  • What Linux distros and versions? – kubanczyk Apr 15 '18 at 09:18
  • Would work at least on a default ubuntu, the user wouldn't have to install specific security packages. For the moment I think to chown the projects to the "my-worker-user" user and the group to "my-user" or "www-data" with "my-user" which is in the www-data group. I don't really like that solution. – Pierre Emmanuel Lallemant Apr 15 '18 at 10:00

0 Answers0