Hi Richard,
guestfish shell has an ability to execute commands on the host such as
!mkdir local
tgz-out /remote local/remote-data.tar.gz
What is the best way to restrict access to host from guestfish ?
For instance,
- Allow readonly access to host.. i.e., !ls is allowed
but dont allow !rm or !mkdir
- commands such as tgz-out, or copy-out should be able to access just
/tmp, but nothing else in host filesystem
Appreciate your guidance on this,
Thanks
Raghu
Richard W.M. Jones
2015-Jul-29 16:30 UTC
Re: [Libguestfs] restrict access to host from guestfish
On Wed, Jul 29, 2015 at 06:32:15PM +0530, Raghu wrote:> Hi Richard, > > guestfish shell has an ability to execute commands on the host such as > > !mkdir local > tgz-out /remote local/remote-data.tar.gz > > What is the best way to restrict access to host from guestfish ? > > For instance, > > - Allow readonly access to host.. i.e., !ls is allowed > but dont allow !rm or !mkdir > > - commands such as tgz-out, or copy-out should be able to access just > /tmp, but nothing else in host filesystem > > Appreciate your guidance on this,There's no way to do this at the moment, and no concept of a "restricted shell" in guestfish. How about running the guestfish command in a container or using a restrictive SELinux/AppArmor policy? Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-builder quickly builds VMs from scratch http://libguestfs.org/virt-builder.1.html