Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Sandboxing in Linux

I want to create a Web app which would allow the user to upload some C code, and see the results of its execution (the code would be compiled on the server). The users are untrusted, which obviously has some huge security implications.

So I need to create some kind of sandbox for the apps. At the most basic level, I'd like to restrict access to the file system to some specified directories. I cannot use chroot jails directly, since the web app is not running as a privileged user. I guess a suid executable which sets up the jail would be an option.

The uploaded programs would be rather small, so they should execute quickly (a couple of seconds at most). Hence, I can kill the process after a preset timeout, but how do I ensure that it doesn't spawn new processes? Or if I can't, is killing the entire pgid a reliable method?

What would be the best way to go about this - other than "don't do it at all"? :) What other glaring security problems have I missed?

FWIW, the web app will be written in Python.

like image 641
oggy Avatar asked Jun 19 '09 19:06

oggy


People also ask

Does Linux have sandboxing?

The system management suite of tools systemd is used on almost all major Linux distributions to start, stop, and manage programs and processes. It has many sandboxing options that restrict how the process it starts accesses the host system, making it more secure.

What is sandboxing used for?

Sandboxing is a cybersecurity practice where you run code, observe and analyze and code in a safe, isolated environment on a network that mimics end-user operating environments. Sandboxing is designed to prevent threats from getting on the network and is frequently used to inspect untested or untrusted code.

What is an example of sandboxing?

Some specific examples of using a sandbox to isolate code execution include: Web browsers. A trusted web browser can be run inside a sandbox. Then if a website exploits a vulnerability in that web browser, the damage is limited to the sandbox and minimized.

What is the sandboxing method?

A sandbox is a commonly practiced technique that allows for an environment where softwares and programs can be tested. This method intentionally creates an isolated space for a program to be tested without any additional programs running.


3 Answers

Along with the other sugestions you might find this useful.

http://www.eelis.net/geordi/

This is from http://codepad.org/about, codepad.org's about page.

like image 103
Sweeney Avatar answered Oct 29 '22 22:10

Sweeney


The few details you provide imply that you have administrative control over the server itself, so my suggestion makes this assumption.

I'd tackle this as a batch system. The web server accepts an upload of the source file, a process polls the submission directory, processes the file, and then submits the result to another directory which the web application polls until it finds the result and displays it.

The fun part is how to safely handle the execution.

My OS of choice is FreeBSD, so I'd set up a pre-configured jail (not to be confused with a vanilla chroot jail) that would compile, run, and save the output. Then, for each source file submission, launch a pristine copy of the jail for each execution, with a copy of the source file inside.

Provided that the jail's /dev is pruned down to almost nothing, system resource limits are set safely, and that the traffic can't route out of the jail (bound to unroutable address or simply firewalled), I would personally be comfortable running this on a server under my care.

Since you use Linux, I'd investigate User Mode Linux or Linux-VServer, which are very similar in concept to FreeBSD jails (I've never used them myself, but have read about them). There are several other such systems listed here.

This method is much more secure than a vanilla chroot jail, and it is much more light-weight than using full virtualization such as qemu/kvm or VMware.

I'm not a programmer, so I don't what kind of AJAX-y thing you could use to poll for the results, but I'm sure it could be done. As an admin, I would find this a fun project to partake in. Have fun. :)

like image 34
Geoff Fritz Avatar answered Oct 29 '22 21:10

Geoff Fritz


I'd say this is extremely dangerous on many levels. You're essentially opening yourself up to any exploit that can be found on your system (whereas you're normally limited to the ones people can exploit remotely). I'd say don't do it if you can avoid it.

If you do want to do it, you might want to use some kind of virtual machine to run the user's code. Using something like KVM it's possible to set up a number of virtual machines using the same base image (you can even store a snapshot in an already-booted state, though I'm not sure how it will handle being cloned). You can then create the VMs on demand, run the user's code, return the results, and then kill off the VM. If you keep the VMs isolated from each other and the network, the users can wreak any havoc they want and it won't hurt your physical server. The only danger you're exposing yourself to under these conditions would be some kind of exploit that allows them to escape from the VM... those are extremely rare, and will be more rare as hardware virtualization improves.

like image 25
rmeador Avatar answered Oct 29 '22 22:10

rmeador