在當今時代，對不可信的可執行檔案保持警惕並不是一個壞主意，但是如果您真的需要在Linux系統上執行一個檔案，有沒有安全的方法呢？今天的超級使用者問答帖子有一些有用的建議，以迴應一位憂心忡忡的讀者的提問。

今天的問答環節是由SuperUser提供的，SuperUser是Stack Exchange的一個分支，是一個由社群驅動的問答網站分組。

問題

超級使用者讀者Emanuele想知道如何在Linux上安全執行不受信任的可執行檔案：

I have downloaded an executable file compiled by a third party and I need to run it on my system (Ubuntu Linux 16.04, x64) with full access to HW resources such as the CPU and GPU (through the NVIDIA drivers).

Suppose this executable file contains a virus or backdoor, how should I run it? Should I create a new user profile, run it, then delete the user profile?

如何在Linux上安全地執行不受信任的可執行檔案？

答案

超級使用者貢獻者Shiki和Emanuele為我們提供了答案。首先，志貴：

First and foremost, if it is a very high risk binary file, you would have to set up an isolated physical machine, run the binary file, then physically destroy the hard drive, the motherboard, and basically all the rest because in this day and age, even your robot vacuum can spread malware. And what if the program already infected your microwave through the computer’s speakers using high-frequency data tran**itting?!

But let’s take off that tinfoil hat and jump back to reality for a bit.

No Virtualization – Quick to Use

Firejail

I had to run a similar untrusted binary file just a few days ago and my search led to this very cool **all program. It is already packaged for Ubuntu, very **all, and has virtually no dependencies. You can install it on Ubuntu using: sudo apt-get install firejail

Package info:

Virtualization

KVM or Virtualbox

This is the safest bet depending on the binary, but hey, see above. If it has been sent by “Mr. Hacker” who is a black belt, black hat programmer, there is a chance that the binary can escape a virtualized environment.

Malware Binary – Cost Saver Method

Rent a virtual machine! For example, virtual server providers like Amazon (AWS), Microsoft (Azure), DigitalOcean, Linode, Vultr, and Ramnode. You rent the machine, run whatever you need, then they will wipe it out. Most of the bigger providers bill by the hour, so it really is cheap.

接著是伊曼紐爾的回答：

A word of caution. Firejail is OK, but one has to be extremely careful in specifying all the opti*** in terms of the blacklist and whitelist. By default, it does not do what is cited in this Linux Magazine article. Firejail’s author has also left some comments about known issues at Github.

Be extremely careful when you use it, it might give you a false sense of security without the right opti***.

有什麼要補充的解釋嗎？在評論中發出聲音。想從其他精通技術的Stack Exchange使用者那裡瞭解更多答案嗎？在這裡檢視完整的討論主題。

圖片來源：監獄囚室剪貼畫(Clker.com網站)