dvhh / setuid-sandbox Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/setuid-sandbox
License: Apache License 2.0
Automatically exported from code.google.com/p/setuid-sandbox
License: Apache License 2.0
What steps will reproduce the problem?
1. modify sandboxme.c so that SANDBOXUSER = current user
2. compile setuid-sandbox on a openvz vm
3. sudo chown root:root sandboxme
4. sudo chmod 4511 sandboxme
5. start sandboxme
What is the expected output? What do you see instead?
I expected the sandbox to start.
I see the output
cap_set_proc: Operation not permitted
Could not adjust capabilities, aborting
What version of the product are you using? On what operating system?
HEAD on centos7
Please provide any additional information below.
I suspect that the reason of failure is because I am inside an openvz container
but it seemed to me, after reading
https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment that
compiling a specific sandbox for development could work.
is the sandbox for development yet another thing, different than the
setuid-sandbox project.
is there a way to make the setuid-sandbox work inside an openvz container ?
Original issue reported on code.google.com by [email protected]
on 9 Sep 2014 at 4:29
What steps will reproduce the problem?
$ ./sandboxme -c -p -u 2 -- ls
What is the expected output? What do you see instead?
Expected output:
$ ./sandboxme -c -p -u 2 -- ls
Hi from the sandbox! I'm pid=26468, uid=1002, gid=1017, dumpable=N
Executing ls
ls: cannot open directory .: Permission denied
Current output:
Could not properly drop privileges
What version of the product are you using? On what operating system?
revision 2 on linux-2.6.36-rc7
Please provide any additional information below.
Patch attached.
Original issue reported on code.google.com by [email protected]
on 12 Oct 2010 at 2:21
Attachments:
Hi,
I wanted to build the project on CentOS, but I ran into a few errors. It turns
out that I didn't have libcap-devel installed. easy fix, but I thought it might
be nice if you made some simple instructions for building.
thanks,
fawce
Original issue reported on code.google.com by [email protected]
on 28 Dec 2011 at 3:08
I wrote a simple program to test sandbox on Linux (Ubuntu), it creates and
writes something into a file:
int fd = open("xxx", O_CREAT | O_RDWR, S_IRUSR | S_IWUSR);
write(fd, "something", strlen("something"));
To my understanding if we run this program through SUID sandbox, the file
shouldn't be able to be created.
However according to test result, the file is still be written to disk. Steps
detailed as follows:
# build chrome_sandbox
# sudo cp out/Debug/chrome_sandbox sbx
# sudo chown root:root sbx
# sudo chmod 4755 sbx
# sbx filewrite // this creates a file on disk!
After looking into sandbox/linux/suid/sandbox.c, I found that in
SpawnChrootHelper(), setrlimit is called to limit file opening. But this is
only for child process, which will then exits. In parent process the file
opening is not limited.
To verify, I added the same setrlimit code to parent process, and tried steps
above again, no file can be written to disk in this case.
So the question is, is this a bug or just the way I'm testing the sandbox is
wrong?
Original issue reported on code.google.com by [email protected]
on 12 Aug 2011 at 8:44
Sorry, I'm very naive about linux security and os level programming. However
I'm looking forward to build some sort of sandbox for a pet project.
In this project, users submit codes in a number of languages, which the webapp
either compiles+executes or calls an interpreter onto it.
In what ways can setuid-sandbox help here? Would I be able to restrict the
executables from -
1. accessing files on the server,
2. doing network io
3. call other programs
4. spawn new threads
5. accessing restricted areas of memory
6. cause possible harm through buffer overflows
Thanks a lot,
Abhishek
Original issue reported on code.google.com by [email protected]
on 12 Aug 2011 at 12:03
sandboxme help includes the following option:
-u3: Get a unique uid/gid and switch to it
This is a great feature, and would be really useful. I did a quick experiment
and modified the code to use a non-existent UID and GID on my system. This
worked successfully, so I was considering modifying the code to look for a
random uid/gid and assign that to the sandbox.
It seems pretty inactive here, so I was also thinking of forking the project
over to github for the sake of convenience. Anyone object to that?
Original issue reported on code.google.com by [email protected]
on 3 Jan 2012 at 4:37
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.