沙盒公共无障碍GCC [英] Sandboxing Publicly Accessible GCC
问题描述
我想为一个基于linux的网络服务添加一个功能,允许不受信任的用户将源代码上传到一个小型的C ++程序,该代码将被自动保存到服务器上的一个文件,并使用gcc和然后执行,捕获标准输出。 (这是一个功能,不像ideone.com,或spoj.pl,或topcoder.com,或codechef.com,或许多其他网站,这样做。)
I want to add a feature to a linux-based web service that allows untrusted users to upload the source code to a small C++ program, and for that code to be automatically saved to a file on the server and compiled with gcc and then executed, capturing the standard output. (This is a feature not unlike ideone.com, or spoj.pl, or topcoder.com, or codechef.com, or many of other web sites that do this.)
我的问题是:
Q1。如何沙盒的可执行文件以防止恶意的用户,试图损坏文件系统或访问网络等?
Q1. How do I sandbox the executable to guard against malicous users that try to damage the filesystem or access the network, etc?
Q2。是否有公平/准确的方法来处理系统资源,例如处理器时间和内存使用?
Q2. Is there a fair/accurate way of rashoning system resources to the process, such as processor time and memory usage?
推荐答案
- chroot jail
- ulimit
-
- chroot jail
- ulimit
- patch kernel so socket() by the uid you are running this as fails.
这篇关于沙盒公共无障碍GCC的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!