Properly running binaries on runtime with safety (seteuid etc)

So if I want to run a binary using exec() on a child process after fork, but want to restrict its file access to a certain directory only, how does one safely do that?

Does this involve of creating a new 开发者_Python百科user in unix/linux, and then setting the uid to that user?Or would this require creating a group (say, webapps) and then using setguid?

Of course, one can just run the binary as is, but it seems that taking some precautions with security is never a bad idea.

I'd take a look at chroot. It a relatively easy way to separate parts of your system.

In a nutshell: you change the root for a particular process, so /path/to/working/dir is now / for that process. Of course you have to add everything that is necessary (utilities, libraries, configuration) to this folder.