setgid/setuid/chroot?

[avsm]

See stud's command-line options:

  -r  --chroot=DIR           Sets chroot directory (Default: "")
  -u  --user=USER            Set uid/gid after binding the socket (Default: "")
  -g  --group=GROUP          Set gid after binding the socket (Default: "")

[avsm]

Maybe use release for this: https://github.com/andrenth/release

[cfcs]

Not sure what the point of this would be, but if you do need to sandbox it, it should probably be done in a thorough fashion:

• Care should also be taken to close inherited file descriptors and get rid of shared memory segments (shm*()).
• When setting uid/gid, euid and egid should be set accordingly
• Under Linux:
  • seccomp-bpf whitelisting should be used to limit system calls
  • Namespaces should be used (clean mount and network namespaces, probably process namespace too)

Additional resources:

• http://www.toptal.com/linux/separation-anxiety-isolating-your-system-with-linux-namespaces
• https://github.com/servo/servo/wiki/Linux-sandboxing
• https://l3net.wordpress.com/projects/firejail/firejail-usage/
• https://www.chromium.org/chromium-os/chromiumos-design-docs/system-hardening

[hannesm]

patches welcome. I also stumbled upon mirage/charrua@de2c28f recently