Sandboxing Publicly Accessible GCC
https://stackoverflow.com/questions/9827551
-
25-05-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I want to add a feature to a linux-based web service that allows untrusted users to upload the source code to a small C++ program, and for that code to be automatically saved to a file on the server and compiled with gcc and then executed, capturing the standard output. (This is a feature not unlike ideone.com, or spoj.pl, or topcoder.com, or codechef.com, or many of other web sites that do this.)
My questions are:
Q1. How do I sandbox the executable to guard against malicous users that try to damage the filesystem or access the network, etc?
Q2. Is there a fair/accurate way of rashoning system resources to the process, such as processor time and memory usage?
Solution
- chroot jail
- ulimit
- patch kernel so socket() by the uid you are running this as fails.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
