Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm looking for a way to have my users log in to my server (Cetos 5) and get a secure shell in which they could compile their own code, with as less privileges granting as possible.
A sort of sandbox for them to write in...
Now I've heard of chroot, and I'd like to know if anyone has tried it for this sort of purpose, and of course any other ideas will be much appreciated.
Just have them compile their own code, within their own home directories.
Maybe they'll have to add /home/username/bin/ to their $PATH if they would like an easy life. But that's up to them.
This is the way linux is set up as the default behaviour: Any user can compile and install (to their ~/* ) anything, but they cannot install it to the system, or have it seen or executed by other users unless they have root privileges.
So all users should already be in a "sandbox" unless you have granted them further privileges or messed about with your default installation.
You do not need chroot and I think you do not understand the purpose of chroot
OK, what I forgot to write is that the code that we write requires root permissions to run, and all of our developers need to run it after working on it.
So the question still stands:
I need an environment that I can give my users root permissions but yet not really give them root to all of the server.
So ?
If they're writing the code, forget it. They can break out anytime they want...
If you can't trust them, either buy some cheap boxes for them to work on, or create a VM for each Dev.
OK, what I forgot to write is that the code that we write requires root permissions to run, and all of our developers need to run it after working on it.
So the question still stands:
I need an environment that I can give my users root permissions but yet not really give them root to all of the server.
Have you considered VMWare? I'm thinking, create a virtual machine on a server for each developer, and give that developer root privileges to that virtual machine. They can run the program there to test it, and it will do whatever it's designed to to IN THAT VIRTUAL MACHINE, but it will not be able to affect the hosting server or any other virtual machine on that server.
VMs are a decent solution, provided you do the proper capacity planning. Just slapping a bunch of VMs on a piece of hardware can result in some serious performance problems if you haven't bothered to figure out how hard the VMs are going to be used.
Quote:
Why not run the server as a code repository and have then develop the code on their own hosts?
Unless there is some reason to run the code on a specific box, I think this is my favorite solution.
VMs are a decent solution, provided you do the proper capacity planning. Just slapping a bunch of VMs on a piece of hardware can result in some serious performance problems if you haven't bothered to figure out how hard the VMs are going to be used.
Unless there is some reason to run the code on a specific box, I think this is my favorite solution.
Well first, about the VM, what sort of planning do you mean?
Second, about developing on their own host, we do not allow to have the code on the local box.
Still, goes to the former question: what is the most basic distro to run for development (c++,java) on the VM?
Well first, about the VM, what sort of planning do you mean?
I mean that you need to look into how many VMs your hardware can support without running into unacceptable performance issues. Each VM will require RAM, disk space and CPU cycles. One of the places I work has a tendency to just stand up VMs regardless of how many are already running on a given bit of hardware. The result is that all of the VMs are largely useless because each one doesn't get enough RAM or CPU time. VMs are good at maximizing hardware usage, but they also make it much easier to max out hardware.
Quote:
Still, goes to the former question: what is the most basic distro to run for development (c++,java) on the VM?
I don't think it really matters as the most common/popular distros are all going to be more or less the same. I'd put more emphasis on what distro you're more comfortable managing or which one your developers are more comfortable using.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.