I’m keen to start allowing people to build Electron apps on my cloud infrastructure.
On Linux the security I’m employing is with throwaway Docker containers. I know it’s not 100% secure but it’s better than just executing them in the folder somewhere.
Now, I’m offering the opportunity to build on a Mac. It needs to be within the OS as the build relies on the
The trouble is, on Mac, I don’t know how to lock a user into a folder with basically no permissions except to run the installer. The environment would also need to be cleaned between each build.
How would I go about running a command with a non-privileged user, ensuring the script cannot break out of the folder in question? I looked into jailed roots, but I wondered if this was the most appropriate way to do this.
I have also looked into virtualisation, but initially I’ll only have one virtualised Linux server to do this with – having virtualised OSX instances on there too might not be possible in the first instance. I’m not even sure if it’s legal to virtualise OSX for a service?
I have also seen a method described here:
Is this a good idea?
Just a heads up, the build command is actually a Node.js “bin”, executed like this: