Shell – Is it possible to drop all write privileges in a shell for the current user

posixselinuxshell

This is NOT for security purposes.

Suppose I wanted to execute a shell script and, on a best effort basis, assume it left no side effects aside from things like auditd logging, avc reports, syslog, etc. Effectively, I want to drop all write privileges for the current user for the entire shell session. I'm not interested in setting up groups and lower privileged users with carefully managed file permissions. What options exist?

Ideally I'd like to target any posix shell, but I started with bash because it's what I'm most familiar with.

Reading through man bash, restricted shells looked promising but they're too restrictive in the wrong places. e.g. I still want to be able use cd and it doesn't prevent something like echo foo | tee /file. Likewise, bash set options aren't restrictive enough since they don't restrict subprocesses from writing as well, e.g. (set -C; echo foo | tee /file) doesn't accomplish what I'm looking for.

I'd also like to avoid overlayfs, as I'd like to be able to enter/exit this "read-only" mode in a single SSH session.

The closest I've gotten is dropping the max filesize ulimit to 0:

(ulimit -f 0; echo "blows up w/ signal SIGXFSZ" > file; ); echo $?

This seems pretty close to what I'm looking for and works in shells like dash, but it still suffers from leaving empty files around. So in the example above "file" would have been created, but would be empty.

I feel like there is a way to confine my user session with SELinux to something more restrictive, but could use a pointer to help.

Any other options?

Another option I'm interested in is simply monitoring any IO write during a process. Perhaps cgroups could be used for this, but I'm unfamiliar with them. Or perhaps systemd-run could be useful too.

Best Answer

Not a complete answer, but maybe a pointer towards one...

Perhaps something like the Linux Diskquota system would work, the Debian quota package description:

  Description-en: disk quota management tools
   This package provides the standard set of utilities for manipulating
   file system usage caps via the Linux Diskquota system. It can set hard
   or soft limits with adjustable grace periods on block or inode usage for
   users and groups. It allows users to check their quota status,
   integrates with LDAP, and supports quotas on remote machines via NFS.

A rough outline would be:

set up a guest system or home directory with most everything write protected, then
turn on the quota system for user foobar, set to 0.

Related Solutions

Bash Shell History – How to Record Wildcard Expansions

I don't think any shell does anything beyond whitespace munging when storing commands into the history. What * expanded to is not recorded, and there doesn't seem to be an option to record it.

Note that it would not be possible to record in full generality anyway. For example, if you run a='foo* bar*'; rm $a (rm $=~a in zsh), the shell is unlikely to detect the wildcard match syntactically. And there's no option to log all glob expansions.

You could cobble something together with preexec (or the bash equivalent). Untested first go (for zsh):

history_wildcards=()
precmd () {
  emulate -LR zsh
  local n tmp
  history -1 | read n tmp
  history_wildcards[$(($n+1))]=$=~1
}

This fills the history_wildcards array to a string with the glob expansion of each word in the command line. Word splitting is performed in the naive way, so something like echo ' /**/* ' will expand /**/* (i.e. traverse your disk). Don't expect anything useful from cd subdir && echo * or anything so mind-bogglingly nontrivial.

If you plan beforehand, you can make zsh expand the wildcards before you submit the command. In the default configuration, just press Tab when your cursor is on the glob. If you've configured completion differently, try ^X * (expand-word).

Shell – How to Test for POSIX Compliance of Shell Scripts

Unfortunately, 'portable' is usually a stronger requirement than 'POSIX-compliant' for shell scripts. That is, writing something that runs on any POSIX shell isn't too hard, but getting it to run on any real-world shell is harder.

You can start by installing every shell in your package manager, in particular debian's posh sounds like what you want (Policy-compliant Ordinary SHell). Debian's policy is POSIX with a few exceptions (echo -n specified, local...).

Beyond that though, testing has to cover a few shells (/bin/sh especially) on a range of platforms. I test on Solaris (/bin/sh and xpg4/sh), and BSD. AIX and HP-UX are very compliant and don't cause problems. bash is a little world of its own.

I'd recommend the Autoconf guide to portable shell, which is absolutely brilliant and saves a lot of time. Large chunks of it are obsolete, but that's OK; just skip TruUnix and Ultrix and so on if you don't care!

Best Answer

Related Solutions

Bash Shell History – How to Record Wildcard Expansions

Shell – How to Test for POSIX Compliance of Shell Scripts

Related Question