-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restricting writes to just /tmp
and cleaning /tmp
after every worker
#197
Comments
For restricting writes, I was able to prove that adding a random uid to a spawned child process, whether that uid maps to a real user or not, prevents that child process from writing to anywhere except Experiment:
Output on alpine linux:
Output on ubuntu linux:
Both of these experiments work when I change the file to With that proven, I'll start writing tests on restriction. I think we will need to move tests to run inside of a container for this, since normal mac/linux users are not allowed to specify other users for sub-shells, but the root user of a container would. |
This was done in #200 |
As a stepping stone for the work that #188 attempted to prove, we should build a system that prevents workers from writing to any directory except the
/tmp
directory and removes all files in the/tmp
directory after every worker finishes. This system should be built on top of #184.Handy links/references
child_process.exec
: https://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callbackuseradd
documentation: https://linux.die.net/man/8/useraddgroupadd
documentation: http://man7.org/linux/man-pages/man8/groupadd.8.html/tmp
documentation in linux file hierarchy page: http://man7.org/linux/man-pages/man7/file-hierarchy.7.htmlcc/ @mapbox/platform-engine-room
The text was updated successfully, but these errors were encountered: