sandbox is a tool originally used in Gentoo Linux to monitor and restrict the access to the file system for a process. For example, dependent on the configuration a process started with sandbox cannot write to any file in directories, which are are above the directory, where the sandbox started. If such a process tries to write to files, where it is not permitted, the sandbox stops and the process gets killed. It is also possible to restrict read-access with sandbox, but with default configuration sandbox gives read-access to the complete file system. (however the process gets restricted by the user rights)

There is no comparable tool on Debian to do that, so I tried to port sandbox from Gentoo to Debian. To do so, first you have to download the sandbox source. For me, I found it on, where the last version (2010-02-11) is 2.2


lzma is a compress format, that is not included by default on Debian, so, maybe you have to install it with

aptitude install lzma

then, we can unpack the source

lzma -d sandbox-2.2.tar.lzma
tar -xf sandbox-2.2.tar

then go into the directory and type ./configure

cd sandbox-2.2

Look at the Output: Maybe you will find the following rows:

checking for gawk... no
checking for mawk... mawk

sandbox cannot compile with mawk, so you need gawk. If you see the rows above, you have to install gawk

aptitude install gawk

then, type "./configure" again. now, you should find this row on output

checking for gawk... gawk

If you see this line, and no line with "mawk", it is correct.

Now we could type "make" to build all and it would work, but maybe you want to make some cosmetic changes first.

Since sandbox comes from Gentoo, it wants to have its config in /usr/etc, but Debian software has its config in /etc/, so we want to tell sandbox to use its config in this place. There are 2 options:

both would go with Debian conventions, so it is your decision.

I used the first way.

./configure --sysconfdir=/etc/

If you want to do so, you can also "personalize" your sandbox by using a custom banner. By default, sandbox starts with this output:

============================= Gentoo path sandbox ==============================

But you can open ./src/sandbox.c and change this line to somewhat you want. (Maybe "Debian path sandbox"? :) )

Now we are ready to build and install sandbox.

just type

make && make install 

if the make process is completed, you can use sandbox. When you type "sandbox", it starts with a default-shell. Also you can "sandbox [command]", if you want to start something other with sandbox. Feel free to try somewhat like "echo foo > ../bar". By default configuration, sandbox will give you an error-message and kill the session.

There is no manpage for sandbox, but you will find some information in the comments in the config files.