What is the safest way to run an executable on Linux?

Question

I am trying to run a program compiled from C code from an unknown source. I want to make sure that the program does not harm my system in anyway. Like for instance, the pro

Answer 1

I wrote an overview of sandboxing methods on Linux (archived) here. You are best off using Linux containers (lxc) or selinux, in my view. You could use a virtualisation solution and automate it, but it is a lot more effort.

lxc will isolate your processes, filesystem and network, and you can set resource limits on the container. There are still risks of a kernel attack, but they are much reduced.

Answer 2

Run it on a non-networked computer that you will re-image once it's done. There is no safe way to run it on a machine and continue to trust that machine afterwards.

Answer 3

Geordi uses a combination of chroot and interception of syscalls to compile and then sandbox arbitrary code.