kickboxer: a *failed* attempt at a Linux setuid sandbox

Discussion in 'all things UNIX' started by Gullible Jones, Dec 18, 2014.

  1. Gullible Jones

    Gullible Jones Registered Member

    May 16, 2013
    An idea I had, that did not pan out... Here it is in all its glory. This is public domain, use it and modify it as you see fit, but note that it does not work as presented here.

    Also, note that the binary must be setuid root if it is to work, with all that that entails...

    #include <stdlib.h>
    #include <unistd.h>
    #include <sys/types.h>
    #include <pwd.h>
    void main(void)
      // Wipe environment data
      // Get info about the invoking user
      struct passwd *my_user = getpwuid(getuid());
      // Make sure the home dir is inaccessible to anyone else
      chmod(my_user->pw_dir, 0700);
      // Enter the home dir, create the sandbox
      (void)mkdir("./sandbox", 0000);
      chown("./sandbox", 0, 0);
      chmod("./sandbox", 0777);
      // Descend into an arbitrary unprivileged account
      // Create and enter the home within the sandbox
      (void)mkdir("./user", 0000);
      chmod("./user", 0777);
      // Start a shell...
    (Setting up the environment again is left to the user. Or would be, if the darned thing worked.

    Now the problem, like I said it does not work! Aside from obvious problems (like the need for xhost hijinks to get graphical programs working), Evince can't open files in the sandbox, and Firefox can't even start if given the sandbox as a home dir. Why? Because most applications use absolute paths, not relative. Most programs will be trying to access files in the sandbox all the way through /home/$USER/sandbox/user, while /home/$USER is not traversible to the sandbox account! Thus, no file access. :(

    One could "fix" this problem by making the sandbox somewhere globally accessible, like /var/tmp or something, but that would lose you the isolation from other user accounts. So... probably a half-baked idea.

    Still, though I should put it out there.

    Edit: it works for Firefox with 0711 permissions for $HOME, however this loses the benefit of of making everything unreadable outside the sandbox... Still, that way you can at least chmod o-rwx your files to make them unreadable. Progress, I guess.

    Edit 2: I should point out that with 0711 permissions on $HOME this program is not safe for multiuser systems, since users could enter each others' sandboxes and tamper with files therein. Sigh.
    Last edited: Dec 18, 2014
  2. NGRhodes

    NGRhodes Registered Member

    Jun 23, 2003
    West Yorkshire, UK
  3. Gullible Jones

    Gullible Jones Registered Member

    May 16, 2013
    @NGRhodes, I was kind of trying to avoid some of the pains associated with chrooting.

    (And access control would still be a problem for chrooted sandboxes, unless I used ACLs. I wish Linux had a standardized RBAC implementation!)