Security

Script to run a shell command without breaching security of your home dir

Script to run a shell command without breaching security of your home dir: the script still can access the current directory and subdirectories and still can connect to network services including for example Redis to get your secret data. It also can access other directories like /bin or /usr.

#!/bin/sh

# Script to run a shell command without breaching security of your home dir:

# safe cat /home/me/VERY-SECRET-FILE
# cat: /home/me/VERY-SECRET-FILE: No such file or directory

# Requires `firejail`, `expect`, `xserver-xorg-video-dummy`.
# The file /etc/X11/xorg.conf.d/dummy-1920x1080.conf is to be taken from
# https://techoverflow.net/2019/02/23/how-to-run-x-server-using-xserver-xorg-video-dummy-driver-on-ubuntu/

# TODO: 1. Make dependencies optional. 2. Make it able to run X clients.

ARGS="$@"

# --x11=none
# --apparmor
# firejail --noprofile --shell=none --disable-mnt --nogroups --nonewprivs --notv --nou2f --novideo --private=. --seccomp "$@"

TMPDIR="$(mktemp -d)"
trap "test \"$TMPDIR\" != '' && rm -rf \"$TMPDIR\"" EXIT
mkfifo -m600 "$TMPDIR/stdout"
mkfifo -m600 "$TMPDIR/stderr"

if [ -t 1 ]; then
  UNBUFFER="unbuffer -p "
else
  UNBUFFER=""
fi

# I change HOME to be sure that .bashrc, .asound, .Xauthority are not copied!
HOME="$TMPDIR" SHELL=/bin/sh firejail --ignore=seccomp --profile=default --shell=none --disable-mnt --nogroups --nonewprivs --notv --nou2f --novideo --private=. --seccomp --env=DISPLAY=:100 \
  xinit /bin/sh -c "/bin/sh -c \"$UNBUFFER$ARGS\" 1>$TMPDIR/stdout 2>$TMPDIR/stderr" -- -config dummy-1920x1080.conf -quiet :100 2>/dev/null &

cat "$TMPDIR/stdout" &
P1=$!
cat "$TMPDIR/stderr" >&2 &
P2=$!

wait $P1 $P2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.