Question

I want to add a feature to a linux-based web service that allows untrusted users to upload the source code to a small C++ program, and for that code to be automatically saved to a file on the server and compiled with gcc and then executed, capturing the standard output. (This is a feature not unlike ideone.com, or spoj.pl, or topcoder.com, or codechef.com, or many of other web sites that do this.)

My questions are:

Q1. How do I sandbox the executable to guard against malicous users that try to damage the filesystem or access the network, etc?

Q2. Is there a fair/accurate way of rashoning system resources to the process, such as processor time and memory usage?

Était-ce utile?

La solution

  1. chroot jail
  2. ulimit
  3. patch kernel so socket() by the uid you are running this as fails.
Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top