Hello! Let’s say I have an executable file, but I’m unsure of the source, and may contain bugs/errors/malwares/bad things that can mess up my machine. I want to execute it anyway, but I want to make sure that it does not mess things up. Is it possible to create a “sandbox” folder, place the executable inside it, and then give all files inside that folder only write privileges inside that folder, and not outside? so that echo "hello" >> log.txt
would work, but echo "hello" >> ~/log.txt
would not?
EDIT: thanks to everyone for the answers! I decided to opt for a VM to minimize the risk, but chroot
is probably a faster solution for not-so-dangerous files
Assuming no kernel bugs are present and you don’t run the command as a user with direct access to any system devices (like /dev/disk-by-*), you can run a command in an environment that will get deleted afterwards with systemd-nspawn.
This will allow you to do various forms of sandboxing, including picking an alternative root directory. If you install a minimal version of your OS into a directory, you can effectively run an isolated container from a folder you specify
If you use BTRFS for your root filesystem,
systemd-nspawn -D / -xb
will also be able to start a full copy of your entire Linux system that’ll get erased after closing it.If your executable needs root or you’re not sure if it’ll exploit your kernel, a VM is the way to go. With tools like Vagrant you can set up VMs relatively easily.