Changing the the view of applications and users on the filesystem?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












Is there any way to change what files (in particular files content) an application can see?



I know you can prevent access to files with DAC or MAC, but I don't want to prevent accessing. Instead, I would like to change the content an application can see. When I access a file using an application, for example, I enter /home/user/.profile on my browser and I don't want the application to see the real content, but instead a spoofed version with the same file path however. If I open the file from the terminal or from some other application it should sees the correct content. Is this somehow possible? Can this be extended to changing the contents for specific users?










share|improve this question























  • Maybe you want Linux namespaces. Google it, then do it no matter by lxc-run or lxc-unshare or write your own sandbox. As a question on this website, I think it's too abroad.
    – ç¥žç§˜å¾·é‡Œå…‹
    Sep 13 at 15:04














up vote
0
down vote

favorite












Is there any way to change what files (in particular files content) an application can see?



I know you can prevent access to files with DAC or MAC, but I don't want to prevent accessing. Instead, I would like to change the content an application can see. When I access a file using an application, for example, I enter /home/user/.profile on my browser and I don't want the application to see the real content, but instead a spoofed version with the same file path however. If I open the file from the terminal or from some other application it should sees the correct content. Is this somehow possible? Can this be extended to changing the contents for specific users?










share|improve this question























  • Maybe you want Linux namespaces. Google it, then do it no matter by lxc-run or lxc-unshare or write your own sandbox. As a question on this website, I think it's too abroad.
    – ç¥žç§˜å¾·é‡Œå…‹
    Sep 13 at 15:04












up vote
0
down vote

favorite









up vote
0
down vote

favorite











Is there any way to change what files (in particular files content) an application can see?



I know you can prevent access to files with DAC or MAC, but I don't want to prevent accessing. Instead, I would like to change the content an application can see. When I access a file using an application, for example, I enter /home/user/.profile on my browser and I don't want the application to see the real content, but instead a spoofed version with the same file path however. If I open the file from the terminal or from some other application it should sees the correct content. Is this somehow possible? Can this be extended to changing the contents for specific users?










share|improve this question















Is there any way to change what files (in particular files content) an application can see?



I know you can prevent access to files with DAC or MAC, but I don't want to prevent accessing. Instead, I would like to change the content an application can see. When I access a file using an application, for example, I enter /home/user/.profile on my browser and I don't want the application to see the real content, but instead a spoofed version with the same file path however. If I open the file from the terminal or from some other application it should sees the correct content. Is this somehow possible? Can this be extended to changing the contents for specific users?







linux files






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Sep 13 at 15:51









Goro

5,47052460




5,47052460










asked Sep 13 at 14:44









tainted

11




11











  • Maybe you want Linux namespaces. Google it, then do it no matter by lxc-run or lxc-unshare or write your own sandbox. As a question on this website, I think it's too abroad.
    – ç¥žç§˜å¾·é‡Œå…‹
    Sep 13 at 15:04
















  • Maybe you want Linux namespaces. Google it, then do it no matter by lxc-run or lxc-unshare or write your own sandbox. As a question on this website, I think it's too abroad.
    – ç¥žç§˜å¾·é‡Œå…‹
    Sep 13 at 15:04















Maybe you want Linux namespaces. Google it, then do it no matter by lxc-run or lxc-unshare or write your own sandbox. As a question on this website, I think it's too abroad.
– ç¥žç§˜å¾·é‡Œå…‹
Sep 13 at 15:04




Maybe you want Linux namespaces. Google it, then do it no matter by lxc-run or lxc-unshare or write your own sandbox. As a question on this website, I think it's too abroad.
– ç¥žç§˜å¾·é‡Œå…‹
Sep 13 at 15:04










1 Answer
1






active

oldest

votes

















up vote
0
down vote













You can use Linux mount namespaces to set up a modified view on the filesystem. Container frameworks such as LXC use it behind the scenes. It can be used from shell quite easily as well, but requires root access to setup.



unshare -m
mount --make-rprivate /
mount --bind /spoof/x /target/x
sudo -u YOUR USER COMMAND


Bind mounts are used to hide parts of the original file system tree by mounting over the original paths. mount --make-rprivate prevents any new mounts from propagating between the mount namespaces.



pam_namespace module can be used to configure users in their own mount namespace and configure bind mounts.






share|improve this answer






















  • I'm actually already running in a lxc container. I'm not sure if I can run it nested. The most important paths would be entries under /proc or /sys and I don't know how easy it would be to spoof parts of those without breaking the rest. Background is, I actually want to hide that a container is used.
    – tainted
    Sep 13 at 16:22










  • Running nested mount namespaces shouldn't be an issue. For limiting /proc or /sys you probably should use MAC (SELinux/AppArmor) or choose not to make them visible for your application (run without /proc and /sys mount points altogether).
    – sebasth
    Sep 13 at 19:49











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f468816%2fchanging-the-the-view-of-applications-and-users-on-the-filesystem%23new-answer', 'question_page');

);

Post as a guest






























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
0
down vote













You can use Linux mount namespaces to set up a modified view on the filesystem. Container frameworks such as LXC use it behind the scenes. It can be used from shell quite easily as well, but requires root access to setup.



unshare -m
mount --make-rprivate /
mount --bind /spoof/x /target/x
sudo -u YOUR USER COMMAND


Bind mounts are used to hide parts of the original file system tree by mounting over the original paths. mount --make-rprivate prevents any new mounts from propagating between the mount namespaces.



pam_namespace module can be used to configure users in their own mount namespace and configure bind mounts.






share|improve this answer






















  • I'm actually already running in a lxc container. I'm not sure if I can run it nested. The most important paths would be entries under /proc or /sys and I don't know how easy it would be to spoof parts of those without breaking the rest. Background is, I actually want to hide that a container is used.
    – tainted
    Sep 13 at 16:22










  • Running nested mount namespaces shouldn't be an issue. For limiting /proc or /sys you probably should use MAC (SELinux/AppArmor) or choose not to make them visible for your application (run without /proc and /sys mount points altogether).
    – sebasth
    Sep 13 at 19:49















up vote
0
down vote













You can use Linux mount namespaces to set up a modified view on the filesystem. Container frameworks such as LXC use it behind the scenes. It can be used from shell quite easily as well, but requires root access to setup.



unshare -m
mount --make-rprivate /
mount --bind /spoof/x /target/x
sudo -u YOUR USER COMMAND


Bind mounts are used to hide parts of the original file system tree by mounting over the original paths. mount --make-rprivate prevents any new mounts from propagating between the mount namespaces.



pam_namespace module can be used to configure users in their own mount namespace and configure bind mounts.






share|improve this answer






















  • I'm actually already running in a lxc container. I'm not sure if I can run it nested. The most important paths would be entries under /proc or /sys and I don't know how easy it would be to spoof parts of those without breaking the rest. Background is, I actually want to hide that a container is used.
    – tainted
    Sep 13 at 16:22










  • Running nested mount namespaces shouldn't be an issue. For limiting /proc or /sys you probably should use MAC (SELinux/AppArmor) or choose not to make them visible for your application (run without /proc and /sys mount points altogether).
    – sebasth
    Sep 13 at 19:49













up vote
0
down vote










up vote
0
down vote









You can use Linux mount namespaces to set up a modified view on the filesystem. Container frameworks such as LXC use it behind the scenes. It can be used from shell quite easily as well, but requires root access to setup.



unshare -m
mount --make-rprivate /
mount --bind /spoof/x /target/x
sudo -u YOUR USER COMMAND


Bind mounts are used to hide parts of the original file system tree by mounting over the original paths. mount --make-rprivate prevents any new mounts from propagating between the mount namespaces.



pam_namespace module can be used to configure users in their own mount namespace and configure bind mounts.






share|improve this answer














You can use Linux mount namespaces to set up a modified view on the filesystem. Container frameworks such as LXC use it behind the scenes. It can be used from shell quite easily as well, but requires root access to setup.



unshare -m
mount --make-rprivate /
mount --bind /spoof/x /target/x
sudo -u YOUR USER COMMAND


Bind mounts are used to hide parts of the original file system tree by mounting over the original paths. mount --make-rprivate prevents any new mounts from propagating between the mount namespaces.



pam_namespace module can be used to configure users in their own mount namespace and configure bind mounts.







share|improve this answer














share|improve this answer



share|improve this answer








edited Sep 13 at 15:39

























answered Sep 13 at 15:30









sebasth

6,52121644




6,52121644











  • I'm actually already running in a lxc container. I'm not sure if I can run it nested. The most important paths would be entries under /proc or /sys and I don't know how easy it would be to spoof parts of those without breaking the rest. Background is, I actually want to hide that a container is used.
    – tainted
    Sep 13 at 16:22










  • Running nested mount namespaces shouldn't be an issue. For limiting /proc or /sys you probably should use MAC (SELinux/AppArmor) or choose not to make them visible for your application (run without /proc and /sys mount points altogether).
    – sebasth
    Sep 13 at 19:49

















  • I'm actually already running in a lxc container. I'm not sure if I can run it nested. The most important paths would be entries under /proc or /sys and I don't know how easy it would be to spoof parts of those without breaking the rest. Background is, I actually want to hide that a container is used.
    – tainted
    Sep 13 at 16:22










  • Running nested mount namespaces shouldn't be an issue. For limiting /proc or /sys you probably should use MAC (SELinux/AppArmor) or choose not to make them visible for your application (run without /proc and /sys mount points altogether).
    – sebasth
    Sep 13 at 19:49
















I'm actually already running in a lxc container. I'm not sure if I can run it nested. The most important paths would be entries under /proc or /sys and I don't know how easy it would be to spoof parts of those without breaking the rest. Background is, I actually want to hide that a container is used.
– tainted
Sep 13 at 16:22




I'm actually already running in a lxc container. I'm not sure if I can run it nested. The most important paths would be entries under /proc or /sys and I don't know how easy it would be to spoof parts of those without breaking the rest. Background is, I actually want to hide that a container is used.
– tainted
Sep 13 at 16:22












Running nested mount namespaces shouldn't be an issue. For limiting /proc or /sys you probably should use MAC (SELinux/AppArmor) or choose not to make them visible for your application (run without /proc and /sys mount points altogether).
– sebasth
Sep 13 at 19:49





Running nested mount namespaces shouldn't be an issue. For limiting /proc or /sys you probably should use MAC (SELinux/AppArmor) or choose not to make them visible for your application (run without /proc and /sys mount points altogether).
– sebasth
Sep 13 at 19:49


















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f468816%2fchanging-the-the-view-of-applications-and-users-on-the-filesystem%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?