sandbox is a tool originally used in Gentoo Linux to monitor and restrict the access to the file system for a process. For example, dependent on the configuration a process started with sandbox cannot write to any file in directories, which are are above the directory, where the sandbox started. If such a process tries to write to files, where it is not permitted, the sandbox stops and the process gets killed. It is also possible to restrict read-access with sandbox, but with default configuration sandbox gives read-access to the complete file system. (however the process gets restricted by the user rights)
There is no comparable tool on Debian to do that, so I tried to port sandbox from Gentoo to Debian. To do so, first you have to download the sandbox source. For me, I found it on http://dev.gentoo.org/~vapier/dist/, where the last version (2010-02-11) is 2.2
lzma is a compress format, that is not included by default on Debian, so, maybe you have to install it with
aptitude install lzma
then, we can unpack the source
lzma -d sandbox-2.2.tar.lzma tar -xf sandbox-2.2.tar
then go into the directory and type ./configure
Look at the Output: Maybe you will find the following rows:
checking for gawk... no checking for mawk... mawk
sandbox cannot compile with mawk, so you need gawk. If you see the rows above, you have to install gawk
aptitude install gawk
then, type "./configure" again. now, you should find this row on output
checking for gawk... gawk
If you see this line, and no line with "mawk", it is correct.
Now we could type "make" to build all and it would work, but maybe you want to make some cosmetic changes first.
Since sandbox comes from Gentoo, it wants to have its config in /usr/etc, but Debian software has its config in /etc/, so we want to tell sandbox to use its config in this place. There are 2 options:
- use /etc/ as config-dir. Then sandbox would have /etc/sandbox.conf as primary configfile and /etc/sandbox.d/ as the directory for additional configfiles.
- or we use /etc/sandbox/ as config dir, then we have /etc/sandbox/sandbox.conf and /etc/sandbox/sandbox.d/
both would go with Debian conventions, so it is your decision.
I used the first way.
If you want to do so, you can also "personalize" your sandbox by using a custom banner. By default, sandbox starts with this output:
============================= Gentoo path sandbox ==============================
But you can open ./src/sandbox.c and change this line to somewhat you want. (Maybe "Debian path sandbox"? )
Now we are ready to build and install sandbox.
make && make install
if the make process is completed, you can use sandbox. When you type "sandbox", it starts with a default-shell. Also you can "sandbox [command]", if you want to start something other with sandbox. Feel free to try somewhat like "echo foo > ../bar". By default configuration, sandbox will give you an error-message and kill the session.
There is no manpage for sandbox, but you will find some information in the comments in the config files.