February 11, 2015
A few days ago I discovered the nifty
that’s part of Debian’s
package when trying to find a way to keep a process from connecting
to the internet (without disconnecting my whole machine). Thanks, stackexchange!
If you want to keep a process from connecting to the internet, it’s a simple as running:
$ unshare -n ping google.com
Although, on Debian Wheezy, I found I needed to setuid the
chmod +s /usr/bin/unshare to avoid running
the child process as root. This should be safe, as the man page for
The unshare command drops potential privileges before executing the target program. This allows to setuid unshare.(see update)
It should be noted that this doesn’t make it safe to run malicious processes on your computer, as it’s not a full sandbox. It’s great for preventing accidental network connections, or in testing software failure states.
Zach Wilcox informed me via email that this no longer works with modern kernels.
I’ve made a new post with some workaround ideas.
The views expressed on this site are my own and do not reflect those of my employer.