Sandboxing Publicly Accessible GCC

大憨熊 提交于 2019-12-08 04:57:17

问题


I want to add a feature to a linux-based web service that allows untrusted users to upload the source code to a small C++ program, and for that code to be automatically saved to a file on the server and compiled with gcc and then executed, capturing the standard output. (This is a feature not unlike ideone.com, or spoj.pl, or topcoder.com, or codechef.com, or many of other web sites that do this.)

My questions are:

Q1. How do I sandbox the executable to guard against malicous users that try to damage the filesystem or access the network, etc?

Q2. Is there a fair/accurate way of rashoning system resources to the process, such as processor time and memory usage?


回答1:


  1. chroot jail
  2. ulimit
  3. patch kernel so socket() by the uid you are running this as fails.


来源:https://stackoverflow.com/questions/9827551/sandboxing-publicly-accessible-gcc

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!