Tech News
← Back to articles

A quick look at unprivileged sandboxing

2025-10-31 | original
read original related products more articles

blog - git - desktop - images - contact

A quick look at unprivileged sandboxing

Disclaimer: This is to the best of my knowledge. It's a complicated topic, there are tons of options, and this only covers a tiny fraction of this topic anyway. If you spot mistakes, please tell me.

Suppose you have a server daemon that you want to confine to a single directory. During the startup phase of the program, it also needs to read some files outside of that directory -- you can apply the confinement only when that phase is done.

Suppose you want to run this as an ordinary unprivileged user. No root, no SUID. The program, and the program alone, shall be able to set up its own sandbox while running as an unprivileged user.

How can you do this nowadays?

This is not an exhaustive list and all of the following focuses only on filesystem access.

Common code in util.h and setup

All of the following programs include this header library:

#ifndef UTIL_H #define UTIL_H #include #include #include #include void die(char *perror_msg) { perror(perror_msg); exit(EXIT_FAILURE); } void ls(char *path) { DIR *dir; struct dirent *de; printf("==> ls [%s]

... continue reading

Related:
Antibody drugs show promise for treating bird flu and HIV
Precompiled headers and why Squid won't be using them (2023)
‘Book of Shadows: Blair Witch 2’ Is a Fascinating Failure
Dick Cheney, Powerful Former VP, Dies at 84
PewDiePie goes all-in on self-hosting AI using modded GPUs, with plans to build his own model soon — YouTuber pits multiple chatbots against each other to find the best answers

© 2025 GoKawiil