-1

I am trying to run a command that needs to be limited to one directory and is executed in a shell function from a web application.

My goal is to run that program but limit it to one directory. This directory will change each time I want to run the program and multiple instances need to be able to run on different directories at the same time.

I have looked at chroot and it seems that a file system needs to be explicitly created each time. I am looking for a more temporary solution that accepts the desired root directory and dose not require me to copy files all over the place or do weird mounting of things.

mmiscool
  • 31
  • 1
  • 1
    Just in case, in FreeBSD, you can create jails (https://www.freebsd.org/doc/handbook/jails.html) [Poudriere](https://www.freebsd.org/doc/handbook/ports-poudriere.html) use them extensively for temporary creating packages, probably that could give more ideas for what you want to accomplish – nbari Jan 29 '20 at 09:58

1 Answers1

-1

What you most likely want is containers.

A container takes milliseconds to start, and creates what is basically a complete chroot jail every time it runs. A command like docker run --rm --volume /var/chroot/jail/whatever:/workdir ubuntu stat /workdir will run stat on the chroot jail directory, with all environment being the latest Ubuntu release. It will then scrap the chroot jail. Running it again will create a whole new jail.

You will need to build your web application as a docker image on top of whatever jail you need (Ubuntu, CentOS etc.), which means adjusting your build system to create such an image.

root
  • 5,528
  • 1
  • 7
  • 15
  • The file system access is most important to me. I need to arbitrarily run the command on files in a specific folder limiting the application only using that one folder. Each time I am going to run it it will be against a different folder. – mmiscool Nov 10 '19 at 22:42
  • You can write a script to do a bunch of bind mounts to achieve that, but someone already wrote that - docker. I edited my answer, look into `--volume`. – root Nov 12 '19 at 09:45