Sandboxing Publicly Accessible GCC

Question

I want to add a feature to a linux-based web service that allows untrusted users to upload the source code to a small C++ program, and for that code to be automatically saved to a file on the server and compiled with gcc and then executed, capturing the standard output. (This is a feature not unlike ideone.com, or spoj.pl, or topcoder.com, or codechef.com, or many of other web sites that do this.)

My questions are:

Q1. How do I sandbox the executable to guard against malicous users that try to damage the filesystem or access the network, etc?

Q2. Is there a fair/accurate way of rashoning system resources to the process, such as processor time and memory usage?

Answer 1

1. chroot jail
2. ulimit
3. patch kernel so socket() by the uid you are running this as fails.