Secure way to run other people code (sandbox) on my server?

Question

I want to make a web service that runs other people's code locally. Naturally, I want to limit their code's access to a certain "sandbox" directory, so that they won't be able to connect to other parts of my server (DB, main webserver, etc.)

What's the best way to do this?

Run VMware/Virtualbox:

• + I guess it's as secure as it gets. Even if someone manage to "hack", they only hack the guest machine

• + Can limit the CPU & memory the processes use

• + Easy to set up - just create the VM

• - Harder to "connect" the sandbox directory from the host to the guest

• - Wasting extra memory and CPU for managing the VM

Run underprivileged user:

• + Doesn't waste extra resources

• + Sandbox directory is just a plain directory

• ? Can't limit CPU and memory?

• ? I don't know if it's secure enough

Any other way?

Server running Fedora Core 8, the "other" codes written in Java & C++

Answer 1

To limit CPU and memory, you want to set limits for groups of processes (POSIX resource limits only apply to individual processes). You can do this using cgroups.

For example, to limit memory start by mounting the memory cgroups filesystem:

# mount cgroup -t cgroup -o memory /cgroups/memory

Then, create a new sub-directory for each group, e.g.

# mkdir /cgroups/memory/my-users 

Put the processes you want constrained (process with PID "1234" here) into this group:

# cd /cgroups/memory/my-users # echo 1234 >> tasks 

Set the total memory limit for the group:

# echo 1000000 > memory.limit_in_bytes

If processes in the group fork child processes, they will also be in the group.

The above group sets the resident memory limit (i.e. constrained processes will start to swap rather than using more memory). Other cgroups let you constrain other things, such as CPU time.

You could either put your server process into the group (so that the whole system with all its users fall under the limits) or get the server to put each new session into a new group.