I am involved in making an online-programming judge who supports C / C ++ like SOPO, UVA etc. on Linux machine (Ubuntu).
1. Execution code junking (sandboxing) with crude system call in folder with limited environment I came in a utility, but I think the system call alone will be enough for my work because I do not have to jail the user, only execution code To create a run time environment in the folder, I have copied the following files with files to create a restricted shell (shell is created only)
Where a.out is the one Executable C ++ file Had faced problems: i) I have tried some programs which are going fine in jail. But can someone confirm that these files will be sufficient for all algorithmic-intensive codes, that is, it is not necessary to handle any system call explicitly. Ii) It would be great if any runtime could limit any system call by limiting libraries and recommend any way the jail folder is provided in the form of fork (s), socket () etc., by any code Are not expected. 2. If it uses some suspicious system calls, then with the help of system call and call the ongoing code and call. Now what is the problem the system call should be banned? What do I think is restricting fork (), vfork (), and execve () , since there is a time limit (barely 10 seconds) to execute each program, after this There will be automatically killed and there is no other way to make any other process than funk (), vfork (). But since my thoughts are surrounded by my imagination, it would be great if someone got another opinion to turn things around here. So I'm really worried i) and ii) "faced with problems" and if a person has to find ways to point out in two ways after the ban. The biggest security risk of running this way is likely to make an outgoing network connection at port 25. Someone will get your service, do thousands of spamming, and you will be restricted by your host. Plus you will hate everyone on your hosting provider / ISP for getting blacklisted full IP block in every super-enthusiastic spam merchant database. Fortunately, Also, keep in mind that, these days, outgoing http and https connections can be useful as smtp for spamming (message boards, compromised Twitter and FB accounts etc.), so you actually have some heavy Block or just block network access altogether. $ ldd ./a.out
linux-gate.so.1 = & gt; (0x00f4c000) libstdc ++.6 = & gt; /usr/lib/libstdc++.so.6 (0x007a5000)
libm.so.6 = & gt; /lib/tls/i686/cmov/libm.so.6 (0x00b80000)
libgcc_s.so.1 = & gt; /lib/libgcc_s.so.1 (0x00e0c000)
libc.so.6 = & gt; /lib/tls/i686/cmov/libc.so.6 (0x00110000)
/lib/ld-linux.so.2 (0x00f7c000)
iii) To know only, I copied the file shown by ldd / usr / bin / gcc and / usr / bin / gcc but I used the GCC in jail with error Unable to do - bash-4.1 # / usr / bin / gcc try.c gcc: error is trying to run 'cc1': execvp: no such file or directory:
I How can I fix this?
iptables can block locally on the basis of the UIDs of those processes that are being created by them. It's probably the least outcome to protect yourself from becoming a help for spammers, but if the box does not need to make a valid outgoing connection, then you can only use a more restricted firewall.
Comments
Post a Comment