Ubuntu – How to sandbox applications


I want to run small untrusted programs, but restrict them from accessing any files outside of their folder, network access, and everything else that they don't really need. What is the simplest way to achieve this?

Best Answer

If they are really untrusted, and you want to be sure, you'd set up a separate box. Either really, or virtually.

Further, you don't want that box to be in the same network as your important stuff, if you are paranoid enough. In all solutions you'd set up a separate user with no rights, so not to open too much tools to the would-be compromiser.

  • So the safest option would be a separate box removed physically from your network.
  • You could give in a bit by adding it to the physical network, but on a different subnet: no 'real' connection inside
  • A virtual machine would be an option, but might have to give up some performance

If you are bound on running it on the same box, you have for instance, this option

  • chroot. This is a default option for doing this for lots of people, and for non-specific threats it might even work. But it is NOT a security option, and can be broken out of rather easily. I'd suggest to use this as intended, i.e. not for security.

In the end you might need to set up a specific sandboxing model without the hassle of virtualization or separate boxes, or the still-at-risk situation of chroot. I doubt this is what you meant, but look at this link for some more in-depth information.

Related Question