質問

I want to add a feature to a linux-based web service that allows untrusted users to upload the source code to a small C++ program, and for that code to be automatically saved to a file on the server and compiled with gcc and then executed, capturing the standard output. (This is a feature not unlike ideone.com, or spoj.pl, or topcoder.com, or codechef.com, or many of other web sites that do this.)

My questions are:

Q1. How do I sandbox the executable to guard against malicous users that try to damage the filesystem or access the network, etc?

Q2. Is there a fair/accurate way of rashoning system resources to the process, such as processor time and memory usage?

役に立ちましたか?

解決

  1. chroot jail
  2. ulimit
  3. patch kernel so socket() by the uid you are running this as fails.
ライセンス: CC-BY-SA帰属
所属していません StackOverflow
scroll top