问题
I'm working on a webapp (running on an Ubuntu server) that will allow the user to run Octave code (basically Matlab). However, I only want them to be able to read or modify folders in their designated home folder.
I know chroot is one way of doing this, but it's insecure and you need root privileges to chroot (which ideally the app won't need).
Also, I could read the user's code before running and throw an error if they try to write to a file, but for that I'd need to think of EVERY way the user might break my rules in order to prevent it.
I've looked at Linux-VServer but that would require a separate virtual server for each user (unless I'm mistaken).
edit: I could set up an SSH connection and jail the connection, but that seems unnecessarily resource-greedy.
Is there a way I could jail a user or process to a particular folder without using chroot?
回答1:
Check out lxc.
http://lxc.sourceforge.net/
LXC is... "LXC is the userspace control package for Linux Containers." It's kind of like a cgroups virtualization.
回答2:
You could use Coffer which is pretty much a pretty wrapper around chroot. It does a lot of the heavy lifting for you.
https://github.com/Max00355/Coffer
来源:https://stackoverflow.com/questions/15670387/chroot-alternative