execute terminal command in isolated unix environment [closed]

Question

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.

Closed 8 years ago.

I am writing a webapplication in which users are able to execute git, bzr, and hg commands on the server. Basically, a user writes the git/bzr/hg command into a html form, hits a button, the command is sent to the server, and executed in the directory the user owns.

How can I make this secure? I need to be able to execute a bash command which can only access and change one specific directory. And preferably, the directory in which the command is execute should not contain additional files. I think this is necessary for chroot.

Answer 1

As always with user input, check it before passing it further to any command.

• Is it a valid git/bzr/hg subcommand
• Are there semicolons with additional unrelated commands
• ...

You can try running the commands in a restricted shell (bash -r), which prevents a few things.

The safer, though more complex, solution, is of course a chroot or even better a virtual machine.