Is it possible to run a bash script in a sort of sandbox


Our product has a need to execute an unknown bash script on a delicate server in order to achieve a certain goal. This bash script is user-supplied. We are interested in ensuring that only specific commands are allowed, and that all other are not. Furthermore, we need to replace some commands with others.

So, for example, we would like to execute the script and allow the following commands:

But not allow any other command (we don't want to supply a specific list here).

Furthermore, if the script contains the command cp we would like to capture it and redirect to a different command (which can be done using alias).

Any idea how this is done?

Best Answer

The easiest way is to use a chroot jail containing only the commands you want the script to be able to run. You then run the script through a wrapper that calls chroot into the directory and then executes the script.