How can I run an untrusted executable on linux safely?

First and foremost, if it's a very-high-risk binary... you would have to set up an isolated physical machine, run the binary, then physically destroy the HDD, the motherboard, and basically all the rest. Because in this day and age, even your robot vacuum can spread malware. And what if the program already infected your microwave through the pc speaker using high-frequency data transmit?!

But, let's take off that tinfoil hat and jump back to reality for a bit.

No virtualization, quick to use: Firejail

It is packaged already on Ubuntu, it is very small, has virtually no dependencies.
How to install on Ubuntu: sudo apt-get install firejail

Website: https://firejail.wordpress.com/

Package info:

Package: firejail
Priority: optional
Section: universe/utils
Installed-Size: 457
Maintainer: Ubuntu Developers <[email protected]>
Original-Maintainer: Reiner Herrmann <[email protected]>
Architecture: amd64
Version: 0.9.38-1
Depends: libc6 (>= 2.15)
Filename: pool/universe/f/firejail/firejail_0.9.38-1_amd64.deb
Size: 136284
MD5sum: 81a9a9ef0e094e818eb70152f267b0b6
SHA1: 41d73f8b9d9fd50ef6520dc354825d43ab3cdb16
SHA256: f1cbc1e2191dbe6c5cf4fb0520c7c3d592d631efda21f7ea43ab03a3e8e4b194
Description-en: sandbox to restrict the application environment
 Firejail is a SUID security sandbox program that reduces the risk of
 security breaches by restricting the running environment of untrusted
 applications using Linux namespaces and seccomp-bpf.  It allows a
 process and all its descendants to have their own private view of the
 globally shared kernel resources, such as the network stack, process
 table, mount table.
Description-md5: 001e4831e20916b1cb21d90a1306806f
Homepage: https://firejail.wordpress.com
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu  

I had to run a similar "untrusted" binary just a few days ago. And my search led to this very cool small program.

Virtualization: KVM, Virtualbox.
This is the safest bet. Depending on the binary. But hey, see above.
If it's been sent by "Mr. Hacker" who is a black belt - black hat programmer, there is a chance the binary can escape the virtualized environment.

Malware binary, cost saver method: Rent a machine! A virtual one. Example virtual server providers: Amazon (AWS), Microsoft (Azure), DigitalOcean, Linode, Vultr, Ramnode. You rent the machine, run whatever you need, then they will wipe them off. Most of the bigger providers bill by the hour, so it really is cheap.


Just run it on a separate install - set up a seperate install on a external drive or another hard drive, make sure your main install's paritions are not mounted (or better yet, disconnect them), and test. You can back this up preinstall in case you need it again, and nuke it once you're done.

Its a much more robust method than sandboxing/jailing, and you can confidently treat the second install as disposable and/or use it only when needed.


From Firejail man page:

   Without  any  options,  the sandbox consists of a filesystem build in a
   new mount namespace, and new PID and UTS namespaces. IPC,  network  and
   user  namespaces  can  be  added  using  the  command line options. The
   default Firejail filesystem is based on the host  filesystem  with  the
   main  system directories mounted read-only. These directories are /etc,
   /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64.  Only  /home
   and /tmp are writable.

This is a high level description, there are other things going on, for example /boot is blacklisted, and so are /sbin and /usr/sbin.

https://firejail.wordpress.com/features-3/man-firejail/

You can also look at this document: https://firejail.wordpress.com/documentation-2/firefox-guide/ - they have a very good description of the file system.