Linux 中的沙盒 [英] Sandboxing in Linux
问题描述
我想创建一个 Web 应用程序,它允许用户上传一些 C 代码,并查看其执行结果(代码将在服务器上编译).用户不受信任,这显然具有一些巨大的安全隐患.
I want to create a Web app which would allow the user to upload some C code, and see the results of its execution (the code would be compiled on the server). The users are untrusted, which obviously has some huge security implications.
所以我需要为应用程序创建某种沙箱.在最基本的层面上,我想将对文件系统的访问限制在某些指定的目录中.我不能直接使用 chroot jails,因为 Web 应用程序没有以特权用户身份运行.我想可以选择设置监狱的 suid 可执行文件.
So I need to create some kind of sandbox for the apps. At the most basic level, I'd like to restrict access to the file system to some specified directories. I cannot use chroot jails directly, since the web app is not running as a privileged user. I guess a suid executable which sets up the jail would be an option.
上传的程序会比较小,所以它们应该执行得很快(最多几秒钟).因此,我可以在预设超时后终止进程,但如何确保它不会产生新进程?或者如果我不能,杀死整个 pgid 是一种可靠的方法吗?
The uploaded programs would be rather small, so they should execute quickly (a couple of seconds at most). Hence, I can kill the process after a preset timeout, but how do I ensure that it doesn't spawn new processes? Or if I can't, is killing the entire pgid a reliable method?
除了根本不做"之外,最好的方法是什么?:) 我还漏掉了哪些其他明显的安全问题?
What would be the best way to go about this - other than "don't do it at all"? :) What other glaring security problems have I missed?
FWIW,Web 应用程序将使用 Python 编写.
FWIW, the web app will be written in Python.
推荐答案
连同其他建议,您可能会发现这很有用.
Along with the other sugestions you might find this useful.
这是来自 http://codepad.org/about,codepad.org 的关于页面.
This is from http://codepad.org/about, codepad.org's about page.
这篇关于Linux 中的沙盒的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!