Draft
Conversation
alecthomas
force-pushed
the
aat/shell-sandbox
branch
from
f82c4ff to
59dfb4d
Compare
alecthomas
force-pushed
the
aat/shell-sandbox
branch
4 times, most recently
from
40299f0 to
8db710d
Compare
This uses mvdan/sh/interp to provide a builtin POSIX shell interpreter whose file operations are (mostly) restricted to a sandbox root. I say mostly because the builtin shell globbing (eg. `echo /etc/*`) still allows listing directories outside the sandbox, though accessing them is prevented. The basics seem to work though there would be quite a bit more work fleshing out the supported utilities. Security wise I'm not sure this gives us much, as one of the goals of this is to allow executables _within_ the sandbox to be executed (eg. Java's keytool). If this is allowed then the package can basically execute arbitrary code without restriction, so I don't think there are many/any security benefits whatsoever. However there are other benefits: consistent shell support across any OS, including Windows. There is no need to rely on particular versions of bash being present. Some safety guarantees around accidentally violating the sandbox - eg. a script that accidentally rm's some files. Are these benefits large enough to warrant fleshing this out? I am not certain.
alecthomas
force-pushed
the
aat/shell-sandbox
branch
from
8db710d to
c0cd5bd
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This uses mvdan/sh/interp to provide a builtin POSIX shell interpreter
whose file operations are (mostly) restricted to a sandbox root. I say
mostly because the builtin shell globbing (eg.
echo /etc/*) stillallows listing directories outside the sandbox, though accessing them is
prevented, but also because I'm not certain about those guarantees.
The basics seem to work though there would be quite a bit more work
fleshing out the supported utilities.
Security wise I'm not sure this gives us much, as one of the goals of
this is to allow executables within the sandbox to be executed (eg.
Java's keytool). If this is allowed then the package can basically
execute arbitrary code without restriction, so I don't think there are
many/any security benefits whatsoever.
However it does vastly simplify hooks while simultaneously making them much more flexible, eg.
There are also other benefits such as consistent shell support across any
OS, including Windows, no need to rely on particular versions
of bash being present, and some safety guarantees around accidentally
violating the sandbox - eg. a script that accidentally rm's some files.