I am building a web based interface where people can type in simple C code for solving algorithmic programming questions. I am using Ace editor where people can type in code and when the press the run button, the C code is sent to server, compiled and output sent back.
How do the accomplish the second part in a secure way. I mean given a C code file, compile it and execute it. I can't trust the code so how do i make sure its not malicious and will not harm my system. Also how to impose memory and time limits.
Is there any already existing system open source system available which I can modify to suit my needs? I didn't find anything in my search. Or some pointers on how i should proceed next?
edit: Found http://cs.sru.edu/~contest/rocktest/ and trying to understand their code but still looking for better options, preferably in php
Allow me to plug AppArmor, a simple mandatory access control mechanism that can make creating these sorts of sandboxes simple. Here is a profile I have in place to confine my xpdf
PDF viewer:
#include <tunables/global>
/usr/bin/xpdf {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/X>
#include <abstractions/fonts>
/dev/tty rw,
owner /dev/pts/* rw,
/etc/papersize r,
/etc/xpdf/* r,
/bin/bash ix,
/usr/bin/xpdf r,
/usr/bin/xpdf.bin rmix,
/usr/share/xpdf/** r,
/usr/share/icons/** r,
owner /**.pdf r,
owner /tmp/* rw,
}
You could learn the basics of confining applications of your choice in half a day or so, and have profiles written for your server in another half day. (That xpdf
profile took me about four minutes to write, but I know what I'm doing. We have deployed AppArmor on a leading online retailer's public-facing servers over the course of an afternoon, with similar results with other deployments.)
AppArmor also gives an easy interface for configuring run-time limits, such as how much memory a process is allowed to allocate:
rlimit as <= 100M, # limit address space to 100 megabytes
AppArmor would be easiest to use on Ubuntu, openSUSE, SLES, PLD, Mandriva, Pardis, or Annvix distributions, as the tools come pre-installed. But the core AppArmor functionality is in stock Linux kernels 2.6.36 and newer, and it is possible to install AppArmor on any Linux distribution.
Other similar tools include SElinux, TOMOYO, or SMACK. I think SMACK would be the next-easiest to deploy, but any of them could prevent malicious code from harming your system.
I recommend the Ideaone API: http://ideone.com/api
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With