make install;

some notes to myself



Simple Sandbox

Written on November 6, 2016

The Gentoo documentation has a tutorial on setting up a simple sandbox. The simplest of all sandboxing methods uses discretionary access controls - on a Linux machine, these are user/group ownership and permissions. No seccomp, no user namespaces, no SELinux.

The below script is a modified version of their’s I’ve used for a number of applications on Ubuntu. It creates a new user and associated home dir, restricts permissions and ownership of files installed with the package, adds a sudoers entry, and adds an alias so that xhost automatically add/removes access to the X server. (This doesn’t prevent a given application running on your desktop from seeing another application running on your desktop - for that, take a look at Qubes.)

After sandboxing, tweaks will likely have to be made for some software, such as adding the firefox sandbox user to the ‘audio’ group so that the browser can play sound. You probably don’t want to go too deep and create a separate user for everything - I made the mistake of trying to have individual users for mutt and gpg. It became an unmaintable PITA. mutt will ignore the user umask and use its own, (supposedly for security purposes,) but this was not fully thought out. For example, vi will apply the environment umask to the swap file when working on a draft of an email, but when you save, mutt will restrict access per its 077 umask. This will prohibit the gpg user from being able to sign/encrypt these files. I started working on a script to setfacl the tmp mail dir and chmod/chgrp before gpg was used, and then was just like “AGH!”. I know secure defaults are important, but atleast give me a config option to turn this off!


[ $# -ne 4 ] && echo "Usage: $0 package sandbox_user user binary" && exit 1


# Create a home dir for the sandbox user
mkdir $home
useradd --home=$home --create-home --shell /bin/false --user-group $sbuser
chown $sbuser:$user $home  #chgrp $user $home
chmod 770 $home

# Add sudoers entry
echo "$user ALL=($sbuser) NOPASSWD: $(which $binary)" | (EDITOR="tee" visudo --file=/etc/sudoers.d/$sbuser)

# Restriction permissions/ownership of package files
dpkg -L "$pkg" | xargs ls -ld | grep -v '^d' | awk '{print $9}' | xargs chmod u-x,g-w,o-o
dpkg -L "$pkg" | xargs ls -ld | grep -v '^d' | awk '{print $9}' | xargs chown root:$sbuser

# Add alias
user_home=$(getent passwd $user | cut -d: -f6)
shell=$(basename $(getent passwd ram | cut -d: -f7))
if [ $shell == 'zsh' ]
elif [ $shell == 'bash' ]

echo "alias $binary='xhost si:localuser:$sbuser && sudo -H -u $sbuser $binary && xhost -si:localuser:$sbuser'" >> $user_home/$profile