Dtyjlui

If they are really untrusted, and you want to be sure, you'd set up a separate box. Either really, or virtually.

Further, you don't want that box to be in the same network as your important stuff, if you are paranoid enough. In all solutions you'd set up a separate user with no rights, so not to open too much tools to the would-be compromiser.

• So the safest option would be a separate box removed physically from your network.


• You could give in a bit by adding it to the physical network, but on a different subnet: no 'real' connection inside


• A virtual machine would be an option, but might have to give up some performance

If you are bound on running it on the same box, you have for instance, this option

• 
  chroot. This is a default option for doing this for lots of people, and for non-specific threats it might even work. But it is NOT a security option, and can be broken out of rather easily. I'd suggest to use this as intended, i.e. not for security.

In the end you might need to set up a specific sandboxing model without the hassle of virtualization or separate boxes, or the still-at-risk situation of chroot. I doubt this is what you meant, but look at this link for some more in-depth information.

Firejail is fairly new and in constant development. Easy to use.

You can simply:

sudo apt-get install firejail

firejail app

Docker will help you to set up containers that you can run off of your current kernel, yet keep contained away from the rest of your system. It seems pretty cutting edge but there's an Ubuntu focus an good documentation.

Full virtualization/emulation (VirtualBox)

One possible solution is virtualization software such as VirtualBox which you can find in the software centre.

• Install Virtual box


• Create a virtual machine with networking enabled


• Install Ubuntu or perhaps a lighter desktop such as Lubuntu


• Fully update the installed OS (inside Virtual box)


• Disable Networking on the virtual machine


• Take a snapshot

You can now install the software you don't trust to see what it does. It can't upset the outside world or you host OS as it does not have access.

It may trash your virtual machine however but if it does you can just restore from your snapshot.

There may be other methods to limit the destructive power of untrusted software but this is the most robust method I can think of.

Container-based virtualization (Docker/LXC)

Another option may be LXC more information here

LXC is the userspace control package for Linux Containers, a lightweight virtual system mechanism sometimes described as “chroot on steroids”.

LXC builds up from chroot to implement complete virtual systems, adding resource management and isolation mechanisms to Linux’s existing process management infrastructure.

It's available in the software centre. I have no experience with however.

mbox

Mbox is a lightweight sandboxing mechanism that any user can use without special privileges in commodity operating systems.

• Source repo

I've used it for a couple of things reliably.

subuser

You can use subuser to sandbox your applications with Docker. This allows you do things like sandbox GUI apps, which isn't easy to do with Docker directly.

sudo apt install subuser

• Using subuser - a quick tutorial

I think, a possible solution is to create a separate user for testing purposes, and limit his privileges. This way you won't lose in performance, what would definitely happen in virtual machine, but I think this is less safe, if not set up very properly, which I can't advice on how to do.

DoSH - Docker SHell

In case that you simply want to sandbox the activity of the users, you can use "DoSH"

DoSH (which stands for Docker SHell) is a development to create Docker containers when users log in the Linux system and run a shell into them, instead of symply creating the shell.