https://github.com/orbstack/securefs

Secure Linux file system operations scoped to an arbitrary root directory, without chroot
https://github.com/orbstack/securefs

Last synced: 5 months ago
JSON representation

Secure Linux file system operations scoped to an arbitrary root directory, without chroot

Host: GitHub
URL: https://github.com/orbstack/securefs
Owner: orbstack
License: mit
Created: 2023-07-24T05:25:55.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2023-07-28T07:13:59.000Z (over 2 years ago)
Last Synced: 2025-06-10T06:08:48.389Z (8 months ago)
Language: Go
Size: 4.88 KB
Stars: 37
Watchers: 1
Forks: 3
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# securefs

Go library for secure file system operations scoped to an arbitrary root directory on Linux, without chroot, mount namespaces, or other privileged features.

This uses the Linux-specific [openat2](https://man7.org/linux/man-pages/man2/openat2.2.html) syscall with `RESOLVE_IN_ROOT` to prevent symlink escapes and race conditions. Other solutions like [securejoin](https://github.com/cyphar/filepath-securejoin) are subject to race conditions.

Unlike `O_NOFOLLOW`, this supports all file system operations and works with symlinks (as long as they don't escape the specified root directory).

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/orbstack/securefs

Awesome Lists containing this project

README