沙盒中的Linux [英] Sandboxing in Linux
问题描述
我想创建一个Web应用程序,它允许用户上传一些C code和看到其执行的结果(code将在服务器上被编译)。用户是不可信的,这显然有一些巨大的安全隐患。
I want to create a Web app which would allow the user to upload some C code, and see the results of its execution (the code would be compiled on the server). The users are untrusted, which obviously has some huge security implications.
所以,我需要建立某种形式的沙箱的应用程序。在最基本的层面上,我想限制一些指定的目录访问文件系统。我不能直接使用chroot监狱,因为web应用程序不是以特权用户身份运行。我猜的suid可执行文件,设立监狱将是一种选择。
So I need to create some kind of sandbox for the apps. At the most basic level, I'd like to restrict access to the file system to some specified directories. I cannot use chroot jails directly, since the web app is not running as a privileged user. I guess a suid executable which sets up the jail would be an option.
上传的程序是相当小的,所以他们应该(最多几秒钟)快速执行。因此,我可以杀死preSET超时后的过程,但如何保证它不产生新的进程?或者,如果我不能,是杀了整个PGID一种可靠的方法?
The uploaded programs would be rather small, so they should execute quickly (a couple of seconds at most). Hence, I can kill the process after a preset timeout, but how do I ensure that it doesn't spawn new processes? Or if I can't, is killing the entire pgid a reliable method?
什么是去了解这一点的最好办法 - 比不做它在所有其他? :)还有什么其他明显的安全问题,我错过了?
What would be the best way to go about this - other than "don't do it at all"? :) What other glaring security problems have I missed?
FWIW,Web应用程序将被用Python编写的。
FWIW, the web app will be written in Python.
推荐答案
随着其他sugestions你可能会发现这很有用。
Along with the other sugestions you might find this useful.
这是从 HTTP://$c$cpad.org/about ,的 codepad.org 的有关页面。
This is from http://codepad.org/about, codepad.org's about page.
这篇关于沙盒中的Linux的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!