0

I need to run various text-processing utilities (like latex) on untrusted files, as part of some build script. How can I do that safely, without needing root access? I'm thinking of writing a Python script which "drops privileges/capabilities" before running those utilities so they don't have access to the network and so as to confine their file-writes to one or two subdirectories.

If needed, I could ask the sysadmin to install extra Debian packages.

Stefan
  • 27,908
  • 4
  • 53
  • 82
  • 1
    Just about any solution for this sort of privilege isolation will require your *build script* to have root access (or the equivalent, such as access to Docker). If that's an option, Docker may be the quickest path to a solution. – larsks Nov 01 '17 at 15:12
  • Hmm... don't unprivileged containers show that it can be done (tho it may require some initial setup on the sysadmin's side)? – Stefan Nov 02 '17 at 13:52

0 Answers0