在服务器上安全执行用户提交的python代码 [英] Safely executing user-submitted python code on the server

问题描述

我正在考虑启动一个项目，该项目涉及执行用户通过 HTML 表单输入的 Python 代码.我知道这可能是致命的 (exec)，但我已经看到它至少在 一个实例.

I am looking into starting a project which involves executing python code that the user enters via a HTML form. I know this can be potentially lethal (exec), but I have seen it done successfully in at least one instance.

我给 Python Challenge 的开发者发送了一封电子邮件，我被告知他们正在使用他们自己想出了一个解决方案，他们只是说他们正在使用操作系统提供的安全功能"和操作系统 [Linux] 如果您知道如何使用它，就可以提供您需要的大部分安全性."

I sent an email off to the developers of the Python Challenge and I was told they are using a solution they came up with themselves, and they only let on that they are using "security features provided by the operating system" and that "the operating system [Linux] provides most of the security you need if you know how to use it."

有人知道如何安全可靠地执行此操作吗?我想为每次提交都生成一个新的 VM，但这会产生太多的开销，而且几乎不可能有效实施.

Would anyone know how a safe and secure way to go about doing this? I thought about spawning a new VM for every submission, but that would have way too much overhead and be pert-near impossible to implement efficiently.

推荐答案

http://codepad.org/about 已经成功实现了这样的系统(作为公共代码粘贴/运行服务！)

http://codepad.org/about has implemented such a system successfully (as a public code pasting/running service!)

codepad.org 是一个在线编译器/解释器，也是一个简单的协作工具.它是一个为您执行代码的 pastebin.[...]

codepad.org is an online compiler/interpreter, and a simple collaboration tool. It's a pastebin that executes code for you. [...]

工作原理

代码执行由基于 geordi 的主管处理.策略是在 ptrace 下运行所有​​内容，不允许或忽略许多系统调用.编译器和最终的可执行文件都在 chroot jail 中执行，具有严格的资源限制.主管是用 Haskell 编写的.

Code execution is handled by a supervisor based on geordi. The strategy is to run everything under ptrace, with many system calls disallowed or ignored. Compilers and final executables are both executed in a chroot jail, with strict resource limits. The supervisor is written in Haskell.

[...]

当您的应用程序是远程代码执行时，您必须预料到安全问题.我采取了一些额外的预防措施，而不是仅仅依赖 chroot 和 ptrace 主管:

When your app is remote code execution, you have to expect security problems. Rather than rely on just the chroot and ptrace supervisor, I've taken some additional precautions:

• 主管进程在虚拟机上运行，​​这些虚拟机有防火墙，因此它们无法进行传出连接.

• The supervisor processes run on virtual machines, which are firewalled such that they are incapable of making outgoing connections.

运行虚拟机的机器也受到严密的防火墙保护，并定期从其源映像中恢复.

The machines that run the virtual machines are also heavily firewalled, and restored from their source images periodically.

这篇关于在服务器上安全执行用户提交的python代码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！