Is there a way to sandbox a linux process into a certain directory, and give this process exclusive rw access to this dir? For example, create a temporary working directory, and start e.g. python or another scripting tool in such a way that it can only write in this directory, without limiting too much of its functionality. And also that only this process can access read from this directory (except for superusers of course).
I need this to sandbox a web service that basically allows users to run arbitrary code. We currently do authorization in the software itself, but in the end all processes run as one and the same linux user. We would need a way in which a user cannot do any harm on the system, but does have a temporary private working directory to write and read files that is protected from the other users of the webservice.