Is there a way to run a subprocess so that it can read from all
files but not write to files outside of a tree or filesystem you
specify ? That would be on Linux but if there's a more general
solution, I'm interested in it.

--
André Majorel <URL:http://www.teaser.fr/~amajorel/>
(Counterfeit: edev@freestone.com tyt@worst.com)
Religion: a magic device for turning unanswerable questions into
unquestionable answers. -- Art Gecko

[ Post a follow-up to this message ]

In article <slrnep4ek1.2rv.cheney@atc5.vermine.org>,
Andre Majorel <cheney@halliburton.com> wrote:

> Is there a way to run a subprocess so that it can read from all
> files but not write to files outside of a tree or filesystem you
> specify ? That would be on Linux but if there's a more general
> solution, I'm interested in it.

The function you're looking for is called a chrooted directory try.  A
restricted shell can use this.  Look these ideas up in your man pages or
Linux books.

--
DeeDee, don't press that button!  DeeDee!  NO!  Dee...

[ Post a follow-up to this message ]

On 2006-12-27, Michael Vilain <vilain@spamcop.net> wrote:
> In article <slrnep4ek1.2rv.cheney@atc5.vermine.org>,
>  Andre Majorel <cheney@halliburton.com> wrote:
> 
>
> The function you're looking for is called a chrooted directory
> try.

What is a "chrooted directory try" ?

> A restricted shell can use this.

chroot and restricted shells are useful but not an answer to the
question above.

--
André Majorel <URL:http://www.teaser.fr/~amajorel/>
(Counterfeit: nabewyz@concurrent.com codimaw@predicament.com)
Religion: a magic device for turning unanswerable questions into
unquestionable answers. -- Art Gecko

[ Post a follow-up to this message ]

On Wed, 27 Dec 2006 10:09:43 +0000 (UTC), Andre Majorel <cheney@halliburton.com> wrote:[vbco
l=seagreen]
> On 2006-12-27, Michael Vilain <vilain@spamcop.net> wrote:[/vbcol]
 
>
> What is a "chrooted directory try" ?
> 
>
> chroot and restricted shells are useful but not an answer to the
> question above.

Perhaps instead of lecturing someone who gave you a perfectly correct
answer, you could tell us how you feel this doesn't meet your needs.
Why, for instance, would someone have write permission where they
shouldn't, for starters?  What is it you're actually trying to
accomplish?

[ Post a follow-up to this message ]

Andre Majorel <cheney@halliburton.com> writes:

> Is there a way to run a subprocess so that it can read from all
> files but not write to files outside of a tree or filesystem you
> specify ? That would be on Linux but if there's a more general
> solution, I'm interested in it.

Dunno what you're trying to accomplish but I'll offer that forensic
analysis setups interface to the hard disk being analyzed using a
cable that physically has the write wires disconnected to the hard
drive.    That's the only way you're really sure no writes are taking
place to that volume.

No writing to a filesystem is  relatively easy in unix... just mount
the partition read only.   The man page for mount will tell you about
-r option or -o ro.

For a given subdirectory of a mounted volume, I'm not aware of an
existing solution.

--
Todd H.
http://www.toddh.net/

[ Post a follow-up to this message ]

On Wed, 27 Dec 2006 09:18:58 +0000 (UTC)
Andre Majorel <cheney@halliburton.com> wrote:

> Is there a way to run a subprocess so that it can read from all
> files but not write to files outside of a tree or filesystem you
> specify ? That would be on Linux but if there's a more general
> solution, I'm interested in it.
>

Access privileges are granted to users and not to processes, so you
cannot ask the OS to restrict file access to a specific process. A
fairly hackish approach would be to preload a library that intercepts
the "open" call and applies your access policies.

I suspect you're asking the wrong question. What exactly are you trying
to achieve?

--
Stefaan A Eeckels
--
...one of the chief advantages of a CLI over a GUI:  people who are
truly clueless are more likely to give up and walk away before they
mess things up too badly.                              --Logan Shaw

[ Post a follow-up to this message ]

On 2006-12-27, Stefaan A Eeckels <hoendech@ecc.lu> wrote:
> On Wed, 27 Dec 2006 09:18:58 +0000 (UTC)
> Andre Majorel <cheney@halliburton.com> wrote:
> 
>
> Access privileges are granted to users and not to processes,
> so you cannot ask the OS to restrict file access to a specific
> process.

ulimit can certainly prevent a process from writing to files.

> A fairly hackish approach would be to preload a library that
> intercepts the "open" call and applies your access policies.

Yes. A mechanism to prevent open(O_RDWR/O_WRONLY) to fail if the
pathname is not kosher would be good enough for me.

> I suspect you're asking the wrong question. What exactly are
> you trying to achieve?

Is there is a way to prevent a process from consuming any disk
space outside of a chosen directory or filesystem ? The process
does not cooperate (suppose no access to the source code) but is
not actively hostile either. I'm not trying to guard against
attacks, only bugs and operator errors.

chroot is too much work to set up and maintain. Playing with
permissions won't work for several reasons, one of them being
that some of the processes need to run as root. Running the
process inside a virtual machine and preloading open(2) are of
course possibilities but the point is, if there's a standard
facility for that (E.G. something like ulimit), I'd like to
learn about it.

--
André Majorel <URL:http://www.teaser.fr/~amajorel/>
(Counterfeit: ufuzac@dissertation.com niruw@companion.com)
Religion: a magic device for turning unanswerable questions into
unquestionable answers. -- Art Gecko

[ Post a follow-up to this message ]

In article <slrnep5bbi.2rv.cheney@atc5.vermine.org>,
Andre Majorel <cheney@halliburton.com> wrote:

> On 2006-12-27, Stefaan A Eeckels <hoendech@ecc.lu> wrote: 
>
> ulimit can certainly prevent a process from writing to files.
> 
>
> Yes. A mechanism to prevent open(O_RDWR/O_WRONLY) to fail if the
> pathname is not kosher would be good enough for me.
> 
>
> Is there is a way to prevent a process from consuming any disk
> space outside of a chosen directory or filesystem ? The process
> does not cooperate (suppose no access to the source code) but is
> not actively hostile either. I'm not trying to guard against
> attacks, only bugs and operator errors.
>
> chroot is too much work to set up and maintain. Playing with
> permissions won't work for several reasons, one of them being
> that some of the processes need to run as root. Running the
> process inside a virtual machine and preloading open(2) are of
> course possibilities but the point is, if there's a standard
> facility for that (E.G. something like ulimit), I'd like to
> learn about it.

if chroot doesn't work for you "because it's to much work", I suggest
you look at the sources for your OS and put changes in the open() call
to implement the limits you're looking for.  AFAIK, most UNIX system
can' do this (unless there's some NSA-variant which if I told you about
I'd have to kill you).

--
DeeDee, don't press that button!  DeeDee!  NO!  Dee...

[ Post a follow-up to this message ]

Andre Majorel <cheney@halliburton.com> writes:

> On 2006-12-27, Stefaan A Eeckels <hoendech@ecc.lu> wrote: 
>
> ulimit can certainly prevent a process from writing to files.
> 
>
> Yes. A mechanism to prevent open(O_RDWR/O_WRONLY) to fail if the
> pathname is not kosher would be good enough for me.
> 
>
> Is there is a way to prevent a process from consuming any disk
> space outside of a chosen directory or filesystem ?

No.

Now will you please go away?

--
Todd H.
http://www.toddh.net/

[ Post a follow-up to this message ]

On Wed, 27 Dec 2006 17:29:27 +0000 (UTC), Andre Majorel <cheney@halliburton.
com> wrote:

> Is there is a way to prevent a process from consuming any disk
> space outside of a chosen directory or filesystem ? The process
> does not cooperate (suppose no access to the source code) but is
> not actively hostile either. I'm not trying to guard against
> attacks, only bugs and operator errors.

Sounds like a disk quota question?

> chroot is too much work to set up and maintain. Playing with
> permissions won't work for several reasons, one of them being
> that some of the processes need to run as root.

RUN AWAY.

[ Post a follow-up to this message ]