photo 1614064745737 b70184a320d8

Script to run a shell command without breaching security of your home dir: the script still can access the current directory and subdirectories and still can connect to network services including for example Redis to get your secret data. It also can access other directories like /bin or /usr.

#!/bin/sh

# Script to run a shell command without breaching security of your home dir:

# safe cat /home/me/VERY-SECRET-FILE
# cat: /home/me/VERY-SECRET-FILE: No such file or directory

# Requires `firejail`, `expect`, `xserver-xorg-video-dummy`.
# The file /etc/X11/xorg.conf.d/dummy-1920x1080.conf is to be taken from
# https://techoverflow.net/2019/02/23/how-to-run-x-server-using-xserver-xorg-video-dummy-driver-on-ubuntu/

# TODO: 1. Make dependencies optional. 2. Make it able to run X clients.

ARGS="$@"

# --x11=none
# --apparmor
# firejail --noprofile --shell=none --disable-mnt --nogroups --nonewprivs --notv --nou2f --novideo --private=. --seccomp "$@"

TMPDIR="$(mktemp -d)"
trap "test \"$TMPDIR\" != '' && rm -rf \"$TMPDIR\"" EXIT
mkfifo -m600 "$TMPDIR/stdout"
mkfifo -m600 "$TMPDIR/stderr"

if [ -t 1 ]; then
  UNBUFFER="unbuffer -p "
else
  UNBUFFER=""
fi

# I change HOME to be sure that .bashrc, .asound, .Xauthority are not copied!
HOME="$TMPDIR" SHELL=/bin/sh firejail --ignore=seccomp --profile=default --shell=none --disable-mnt --nogroups --nonewprivs --notv --nou2f --novideo --private=. --seccomp --env=DISPLAY=:100 \
  xinit /bin/sh -c "/bin/sh -c \"$UNBUFFER$ARGS\" 1>$TMPDIR/stdout 2>$TMPDIR/stderr" -- -config dummy-1920x1080.conf -quiet :100 2>/dev/null &

cat "$TMPDIR/stdout" &
P1=$!
cat "$TMPDIR/stderr" >&2 &
P2=$!

wait $P1 $P2