问题
I want to add a feature to a linux-based web service that allows untrusted users to upload the source code to a small C++ program, and for that code to be automatically saved to a file on the server and compiled with gcc and then executed, capturing the standard output. (This is a feature not unlike ideone.com, or spoj.pl, or topcoder.com, or codechef.com, or many of other web sites that do this.)
My questions are:
Q1. How do I sandbox the executable to guard against malicous users that try to damage the filesystem or access the network, etc?
Q2. Is there a fair/accurate way of rashoning system resources to the process, such as processor time and memory usage?
回答1:
- chroot jail
- ulimit
- patch kernel so socket() by the uid you are running this as fails.
来源:https://stackoverflow.com/questions/9827551/sandboxing-publicly-accessible-gcc