I have a small OpenWRT router, on which I wish to run a daemon which is a python script. However, even though it is open-source and plain Python, I still don't trust it and I would like to isolate it from the rest of the system as much as possible. It has to do the following:
- Bind and listen on a single TCP port
- Read/write some files in its working directory
Apart from that, it should not be able to do anything. I've thought of doing the following:
- Start a wrapper script as root, bind the port, then drop group membership and drop into a new user before
importing and executing the actual script - Run it in
chroot
Did I miss anything that would help to make it run more securely?
Aucun commentaire:
Enregistrer un commentaire