I have a website, where users are available to upload small applications which runs 24/7 on my server.
So if the user upload an application, some folders will be created:
/{USER_ID}/{APP_ID}/
(if the user folder already exists, the /{USER_ID}/
folder will not be created again)
Inside this directory, the application files will be stored.
For each application the user create, a bash
file will be created inside the /{APP_ID}/
folder which contains the start command for the application.
For example if the user upload a .NET Core
application, a bash file will be created which contains nohup dotnet app.dll ...
.
My question is, how I can secure my server the best way to limit the user's applications rights.
If the user created the application he can click a start button on the website which will run the start.sh
bash file.
What is, if the application the user uploaded change the content of the bash file which can damage the server?
I want to prevent that by making the bash file non-editable/movable/deletable etc.
But I guess u can just do more bad stuff to damage the server.
So how I can prevent the user to only have rights to do stuff inside its folder own folder (/{USER_ID}/
) [only userid because i dont care if the user damage his own applications].
My idea is that if the directory (/{USER_ID}/
) will be created first, php will create a user on my server with only rights inside the /{USER_ID}/
folder.
Will this be secure enough ?
My os is Ubuntu 16.04.