An idea I had, that did not pan out... Here it is in all its glory. This is public domain, use it and modify it as you see fit, but note that it does not work as presented here. Also, note that the binary must be setuid root if it is to work, with all that that entails... Code: #include <stdlib.h> #include <unistd.h> #include <sys/types.h> #include <pwd.h> void main(void) { // Wipe environment data clearenv(); // Get info about the invoking user struct passwd *my_user = getpwuid(getuid()); // Make sure the home dir is inaccessible to anyone else chmod(my_user->pw_dir, 0700); // Enter the home dir, create the sandbox chdir(my_user->pw_dir); (void)mkdir("./sandbox", 0000); chown("./sandbox", 0, 0); chmod("./sandbox", 0777); chdir("./sandbox"); // Descend into an arbitrary unprivileged account setgid(90210); setuid(90210); // Create and enter the home within the sandbox (void)mkdir("./user", 0000); chmod("./user", 0777); chdir("./user"); // Start a shell... execl("/bin/bash","bash",NULL); } (Setting up the environment again is left to the user. Or would be, if the darned thing worked. Now the problem, like I said it does not work! Aside from obvious problems (like the need for xhost hijinks to get graphical programs working), Evince can't open files in the sandbox, and Firefox can't even start if given the sandbox as a home dir. Why? Because most applications use absolute paths, not relative. Most programs will be trying to access files in the sandbox all the way through /home/$USER/sandbox/user, while /home/$USER is not traversible to the sandbox account! Thus, no file access. One could "fix" this problem by making the sandbox somewhere globally accessible, like /var/tmp or something, but that would lose you the isolation from other user accounts. So... probably a half-baked idea. Still, though I should put it out there. Edit: it works for Firefox with 0711 permissions for $HOME, however this loses the benefit of of making everything unreadable outside the sandbox... Still, that way you can at least chmod o-rwx your files to make them unreadable. Progress, I guess. Edit 2: I should point out that with 0711 permissions on $HOME this program is not safe for multiuser systems, since users could enter each others' sandboxes and tamper with files therein. Sigh.
I would look at chrooting to setup isolated paths. Take a look at https://code.google.com/p/setuid-sandbox/.
@NGRhodes, I was kind of trying to avoid some of the pains associated with chrooting. (And access control would still be a problem for chrooted sandboxes, unless I used ACLs. I wish Linux had a standardized RBAC implementation!)