0

Please, give me a hint to the simplest and lightest solution to isolate a linux shell script (usually ubuntu in case it has smth special)

What I mean about isolation: 1. Filesystem - the most important - I want it cannot access any folders (read) outside workspace except those I will manually configure in some way 2. actually, other types of isolation does not matter

It is ok for "soft" isolation, I mean script may just fail/aborted if trying to access(read) denied paths, but "hard" isolation to get "Not found" for such attempts looks like a cleaner solution

I do not need any process isolations, script may use sudo/fakeroot/etc. inside it, but this should not affect isolation.

Also, I plan to use different isolations inside one workspace:

for ex., I have folders:

a/
b/
include/
target/

I want to make a giving it access only to "a"(rw), "include"(r) and "target" (rw+sudo) make b giving it access only to "b"(rw), "include"(r) and "target" (rw+sudo)

and target will get both results from A and B, allowing B overwrite anything of results of A - the same if there is no isolation

The target of isolation I'm talking about is to prevent B reading from A, even knowing that there is A and vice versa

Thanks!

Wile E.
  • 1,213
  • 1
  • 12
  • 26

1 Answers1

1

Two different users and SSH is a simple way to solve your problem. One of the key benefits is that this will start a "clean" environment in a new shell.

ssh <user_a>@localhost '<path_to_build_script_a>'
ssh <user_b>@localhost '<path_to_build_script_b>'

User a and b must both be members of the group that owns common directories.

Note that it's the directory write permission that decide if a user can create new files inside that directory.

Edit: 2013-07-29

For lots of sequential isolated builds like in your case, one solution is to do as you already have suggested; automate file permission changes so that each build only have access to the files and folders it should.

Anders Martinsson
  • 126
  • 4
  • But I still need a "manual" script that will do permissions switch before each `ssh` call, correct? – Wile E. Jul 19 '13 at 03:24
  • I dont see a need for that. Directory a should only be read/writable by user a and vice versa. – Anders Martinsson Jul 19 '13 at 04:53
  • Thanks, but your solution may be accepatable in case of A and B, but I have about 60 dynamically managed scripts, each of which I want to isolate, probably I need smth more simple – Wile E. Jul 24 '13 at 14:12
  • I agree that my suggestion doesn't scale well. Can the scripts run sequential or is there a need to run them in parallel? – Anders Martinsson Jul 24 '13 at 18:55
  • We need only sequential run, or at least non conflicting parallel - this is controlled – Wile E. Jul 24 '13 at 22:43