Changing the the view of applications and users on the filesystem?
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
Is there any way to change what files (in particular files content) an application can see?
I know you can prevent access to files with DAC or MAC, but I don't want to prevent accessing. Instead, I would like to change the content an application can see. When I access a file using an application, for example, I enter /home/user/.profile
on my browser and I don't want the application to see the real content, but instead a spoofed version with the same file path however. If I open the file from the terminal or from some other application it should sees the correct content. Is this somehow possible? Can this be extended to changing the contents for specific users?
linux files
add a comment |Â
up vote
0
down vote
favorite
Is there any way to change what files (in particular files content) an application can see?
I know you can prevent access to files with DAC or MAC, but I don't want to prevent accessing. Instead, I would like to change the content an application can see. When I access a file using an application, for example, I enter /home/user/.profile
on my browser and I don't want the application to see the real content, but instead a spoofed version with the same file path however. If I open the file from the terminal or from some other application it should sees the correct content. Is this somehow possible? Can this be extended to changing the contents for specific users?
linux files
Maybe you want Linux namespaces. Google it, then do it no matter bylxc-run
orlxc-unshare
or write your own sandbox. As a question on this website, I think it's too abroad.
â ç¥Âç§Âå¾·éÂÂå Â
Sep 13 at 15:04
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Is there any way to change what files (in particular files content) an application can see?
I know you can prevent access to files with DAC or MAC, but I don't want to prevent accessing. Instead, I would like to change the content an application can see. When I access a file using an application, for example, I enter /home/user/.profile
on my browser and I don't want the application to see the real content, but instead a spoofed version with the same file path however. If I open the file from the terminal or from some other application it should sees the correct content. Is this somehow possible? Can this be extended to changing the contents for specific users?
linux files
Is there any way to change what files (in particular files content) an application can see?
I know you can prevent access to files with DAC or MAC, but I don't want to prevent accessing. Instead, I would like to change the content an application can see. When I access a file using an application, for example, I enter /home/user/.profile
on my browser and I don't want the application to see the real content, but instead a spoofed version with the same file path however. If I open the file from the terminal or from some other application it should sees the correct content. Is this somehow possible? Can this be extended to changing the contents for specific users?
linux files
linux files
edited Sep 13 at 15:51
Goro
5,47052460
5,47052460
asked Sep 13 at 14:44
tainted
11
11
Maybe you want Linux namespaces. Google it, then do it no matter bylxc-run
orlxc-unshare
or write your own sandbox. As a question on this website, I think it's too abroad.
â ç¥Âç§Âå¾·éÂÂå Â
Sep 13 at 15:04
add a comment |Â
Maybe you want Linux namespaces. Google it, then do it no matter bylxc-run
orlxc-unshare
or write your own sandbox. As a question on this website, I think it's too abroad.
â ç¥Âç§Âå¾·éÂÂå Â
Sep 13 at 15:04
Maybe you want Linux namespaces. Google it, then do it no matter by
lxc-run
or lxc-unshare
or write your own sandbox. As a question on this website, I think it's too abroad.â ç¥Âç§Âå¾·éÂÂå Â
Sep 13 at 15:04
Maybe you want Linux namespaces. Google it, then do it no matter by
lxc-run
or lxc-unshare
or write your own sandbox. As a question on this website, I think it's too abroad.â ç¥Âç§Âå¾·éÂÂå Â
Sep 13 at 15:04
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
You can use Linux mount namespaces to set up a modified view on the filesystem. Container frameworks such as LXC use it behind the scenes. It can be used from shell quite easily as well, but requires root access to setup.
unshare -m
mount --make-rprivate /
mount --bind /spoof/x /target/x
sudo -u YOUR USER COMMAND
Bind mounts are used to hide parts of the original file system tree by mounting over the original paths. mount --make-rprivate
prevents any new mounts from propagating between the mount namespaces.
pam_namespace
module can be used to configure users in their own mount namespace and configure bind mounts.
I'm actually already running in a lxc container. I'm not sure if I can run it nested. The most important paths would be entries under /proc or /sys and I don't know how easy it would be to spoof parts of those without breaking the rest. Background is, I actually want to hide that a container is used.
â tainted
Sep 13 at 16:22
Running nested mount namespaces shouldn't be an issue. For limiting/proc
or/sys
you probably should use MAC (SELinux/AppArmor) or choose not to make them visible for your application (run without/proc
and/sys
mount points altogether).
â sebasth
Sep 13 at 19:49
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
You can use Linux mount namespaces to set up a modified view on the filesystem. Container frameworks such as LXC use it behind the scenes. It can be used from shell quite easily as well, but requires root access to setup.
unshare -m
mount --make-rprivate /
mount --bind /spoof/x /target/x
sudo -u YOUR USER COMMAND
Bind mounts are used to hide parts of the original file system tree by mounting over the original paths. mount --make-rprivate
prevents any new mounts from propagating between the mount namespaces.
pam_namespace
module can be used to configure users in their own mount namespace and configure bind mounts.
I'm actually already running in a lxc container. I'm not sure if I can run it nested. The most important paths would be entries under /proc or /sys and I don't know how easy it would be to spoof parts of those without breaking the rest. Background is, I actually want to hide that a container is used.
â tainted
Sep 13 at 16:22
Running nested mount namespaces shouldn't be an issue. For limiting/proc
or/sys
you probably should use MAC (SELinux/AppArmor) or choose not to make them visible for your application (run without/proc
and/sys
mount points altogether).
â sebasth
Sep 13 at 19:49
add a comment |Â
up vote
0
down vote
You can use Linux mount namespaces to set up a modified view on the filesystem. Container frameworks such as LXC use it behind the scenes. It can be used from shell quite easily as well, but requires root access to setup.
unshare -m
mount --make-rprivate /
mount --bind /spoof/x /target/x
sudo -u YOUR USER COMMAND
Bind mounts are used to hide parts of the original file system tree by mounting over the original paths. mount --make-rprivate
prevents any new mounts from propagating between the mount namespaces.
pam_namespace
module can be used to configure users in their own mount namespace and configure bind mounts.
I'm actually already running in a lxc container. I'm not sure if I can run it nested. The most important paths would be entries under /proc or /sys and I don't know how easy it would be to spoof parts of those without breaking the rest. Background is, I actually want to hide that a container is used.
â tainted
Sep 13 at 16:22
Running nested mount namespaces shouldn't be an issue. For limiting/proc
or/sys
you probably should use MAC (SELinux/AppArmor) or choose not to make them visible for your application (run without/proc
and/sys
mount points altogether).
â sebasth
Sep 13 at 19:49
add a comment |Â
up vote
0
down vote
up vote
0
down vote
You can use Linux mount namespaces to set up a modified view on the filesystem. Container frameworks such as LXC use it behind the scenes. It can be used from shell quite easily as well, but requires root access to setup.
unshare -m
mount --make-rprivate /
mount --bind /spoof/x /target/x
sudo -u YOUR USER COMMAND
Bind mounts are used to hide parts of the original file system tree by mounting over the original paths. mount --make-rprivate
prevents any new mounts from propagating between the mount namespaces.
pam_namespace
module can be used to configure users in their own mount namespace and configure bind mounts.
You can use Linux mount namespaces to set up a modified view on the filesystem. Container frameworks such as LXC use it behind the scenes. It can be used from shell quite easily as well, but requires root access to setup.
unshare -m
mount --make-rprivate /
mount --bind /spoof/x /target/x
sudo -u YOUR USER COMMAND
Bind mounts are used to hide parts of the original file system tree by mounting over the original paths. mount --make-rprivate
prevents any new mounts from propagating between the mount namespaces.
pam_namespace
module can be used to configure users in their own mount namespace and configure bind mounts.
edited Sep 13 at 15:39
answered Sep 13 at 15:30
sebasth
6,52121644
6,52121644
I'm actually already running in a lxc container. I'm not sure if I can run it nested. The most important paths would be entries under /proc or /sys and I don't know how easy it would be to spoof parts of those without breaking the rest. Background is, I actually want to hide that a container is used.
â tainted
Sep 13 at 16:22
Running nested mount namespaces shouldn't be an issue. For limiting/proc
or/sys
you probably should use MAC (SELinux/AppArmor) or choose not to make them visible for your application (run without/proc
and/sys
mount points altogether).
â sebasth
Sep 13 at 19:49
add a comment |Â
I'm actually already running in a lxc container. I'm not sure if I can run it nested. The most important paths would be entries under /proc or /sys and I don't know how easy it would be to spoof parts of those without breaking the rest. Background is, I actually want to hide that a container is used.
â tainted
Sep 13 at 16:22
Running nested mount namespaces shouldn't be an issue. For limiting/proc
or/sys
you probably should use MAC (SELinux/AppArmor) or choose not to make them visible for your application (run without/proc
and/sys
mount points altogether).
â sebasth
Sep 13 at 19:49
I'm actually already running in a lxc container. I'm not sure if I can run it nested. The most important paths would be entries under /proc or /sys and I don't know how easy it would be to spoof parts of those without breaking the rest. Background is, I actually want to hide that a container is used.
â tainted
Sep 13 at 16:22
I'm actually already running in a lxc container. I'm not sure if I can run it nested. The most important paths would be entries under /proc or /sys and I don't know how easy it would be to spoof parts of those without breaking the rest. Background is, I actually want to hide that a container is used.
â tainted
Sep 13 at 16:22
Running nested mount namespaces shouldn't be an issue. For limiting
/proc
or /sys
you probably should use MAC (SELinux/AppArmor) or choose not to make them visible for your application (run without /proc
and /sys
mount points altogether).â sebasth
Sep 13 at 19:49
Running nested mount namespaces shouldn't be an issue. For limiting
/proc
or /sys
you probably should use MAC (SELinux/AppArmor) or choose not to make them visible for your application (run without /proc
and /sys
mount points altogether).â sebasth
Sep 13 at 19:49
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f468816%2fchanging-the-the-view-of-applications-and-users-on-the-filesystem%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Maybe you want Linux namespaces. Google it, then do it no matter by
lxc-run
orlxc-unshare
or write your own sandbox. As a question on this website, I think it's too abroad.â ç¥Âç§Âå¾·éÂÂå Â
Sep 13 at 15:04