Secure way to run other people code (sandbox) on my server?

Question

I want to make a web service that runs other people's code locally. Naturally, I want to limit their code's access to a certain "sandbox" directory, so that they won't be able to connect to other parts of my server (DB, main webserver, etc.)

What's the best way to do this?

Run VMware/Virtualbox:

+ I guess it's as secure as it gets. Even if someone manage to "hack", they only hack the guest machine
+ Can limit the CPU & memory the processes use
+ Easy to set up - just create the VM
- Harder to "connect" the sandbox directory from the host to the guest
- Wasting extra memory and CPU for managing the VM

Run underprivileged user:

+ Doesn't waste extra resources
+ Sandbox directory is just a plain directory
? Can't limit CPU and memory?
? I don't know if it's secure enough

Any other way?

Server running Fedora Core 8, the "other" codes written in Java & C++

More on topic at: http://security.stackexchange.com/questions/32375/how-to-run-clients-code-on-server-securely — Ciro Santilli OurBigBook.com, Aug 05 '14 at 21:36
Does this answer your question? [How to run user-submitted scripts securely in a node.js sandbox?](https://stackoverflow.com/questions/7446729/how-to-run-user-submitted-scripts-securely-in-a-node-js-sandbox) — Ciro Santilli OurBigBook.com, Jun 29 '20 at 09:28

Thomas Leonard · Answer 1 · 2010-06-11T18:47:03.060

To limit CPU and memory, you want to set limits for groups of processes (POSIX resource limits only apply to individual processes). You can do this using cgroups.

For example, to limit memory start by mounting the memory cgroups filesystem:

# mount cgroup -t cgroup -o memory /cgroups/memory

Then, create a new sub-directory for each group, e.g.

# mkdir /cgroups/memory/my-users

Put the processes you want constrained (process with PID "1234" here) into this group:

# cd /cgroups/memory/my-users
# echo 1234 >> tasks

Set the total memory limit for the group:

# echo 1000000 > memory.limit_in_bytes

If processes in the group fork child processes, they will also be in the group.

The above group sets the resident memory limit (i.e. constrained processes will start to swap rather than using more memory). Other cgroups let you constrain other things, such as CPU time.

You could either put your server process into the group (so that the whole system with all its users fall under the limits) or get the server to put each new session into a new group.

score 9 · Answer 2 · answered Apr 27 '09 at 14:48

chroot, jail, container, VServer/OpenVZ/etc., are generally more secure than running as an unprivileged user, but lighter-weight than full OS virtualization.

Also, for Java, you might trust the JVM's built-in sandboxing, and for compiling C++, NaCl claims to be able to sandbox x86 code.

But as Checkers' answer states, it's been proven possible to cause malicious damage from almost any "sandbox" in the past, and I would expect more holes to be continually found (and hopefully fixed) in the future. Do you really want to be running untrusted code?

score 9 · Answer 3 · answered Apr 28 '09 at 03:19

9

Reading the codepad.org/about page might give you some cool ideas.

http://codepad.org/about

answered Apr 28 '09 at 03:19

Alix Axel

151,645
95
393
500

score 1 · Answer 4 · answered Aug 11 '10 at 10:34

1

Use Ideone API - the simplest way.

answered Aug 11 '10 at 10:34

kuszi

2,069
29
36

2

Ideone API limits the number of requests to 1000 per month. That's one of the reasons I want to create my own online judge. – shashankg77 Jul 14 '13 at 21:07
2

@SinnerShanky If you need an online judge service then there is a lot of ready made services. E.g. [DOMjudge](http://domjudge.sourceforge.net/) is the one you might install at your own server. You might also use [SPOJ](http://spoj.com) which is the one which allows to set customizable contest (and uses the same engine as ideone). BTW: Ideone allows more submissions in the charged option. – kuszi Jul 16 '13 at 19:02

score 1 · Answer 5 · answered Jan 15 '11 at 06:45

1

try using lxc as a container for your apache server

answered Jan 15 '11 at 06:45

amin

621
1
8
20

score 1 · Answer 6 · answered Apr 27 '09 at 09:25

1

Check out ulimit and friends for ways of limiting the underprivileged user's ability to DOS the machine.

answered Apr 27 '09 at 09:25

Douglas Leeder

52,368
9
94
137

Alex B · Accepted Answer · 2009-04-28T03:10:09.073

1

Running under unprivileged user still allows a local attacker to exploit vulnerabilities to elevate privileges.
Allowing to execute code in a VM can be insecure as well; the attacker can gain access to host system, as recent VMWare vulnerability report has shown.

In my opinion, allowing running native code on your system in the first place is not a good idea from security point of view. Maybe you should reconsider allowing them to run native code, this will certainly reduce the risk.

edited Apr 28 '09 at 03:10

answered Apr 27 '09 at 09:43

Alex B

82,554
44
203
280

4

well.. of course it's not a good idea from a security point of view, but I need to do it, so i have to compromise. I know that there isnt 100% security if I let other people run code (there isnt 100% security anywhere)- It's not a bank site where people have huge motivation to "hack".., I just want to get as much "Cost-Benefit" as I can. – amitkaz Apr 27 '09 at 14:42
1

Use some form of sandboxing, but consider disallowing running native code. Is this possible? – Alex B Apr 28 '09 at 03:12
24

We could extend this argument to *"there are vulnerabilities in web servers, so you should not run a web site."* In fact, *"there are vulnerabilities in web browsers, so you should not browse the Internet!"* – BlueRaja - Danny Pflughoeft Jun 11 '10 at 18:55
@BlueRaja, not to say that you *can't* allow users to run code at all (e.g. Google App Engine does allow you to run Java byte code), but native code has a bad track record of not turning local root vulnerabilities into remote root vulnerabilities. – Alex B Jun 11 '10 at 23:54
Is exploiting vulnerabilities to elevate privileges still relevant in 2014? – Hello World May 19 '14 at 11:15
@HelloWorld it's 2k15 and it's relevant and unless you make all privileges equal it will always be. Yeah, people code better and more secure code, but there is always some attack vector that can be tackled. Virtualisation is probably way to go, but depending on your use case you can opt to go for something like hardened gentoo (LXC jail, selinux, ...). This approach gives you more options, but getting it right might be challenging. Just make sure to minimize exposure to inherently insecure things (X server, video drivers). Expected performance hit of such setup should be around 5%. – Tomas Pruzina Feb 28 '15 at 02:12

score 1 · Answer 8 · answered May 10 '09 at 19:17

Try learning a little about setting up policies for SELinux. If you're running a Red Hat box, you're good to go since they package it into the default distro.

This will be useful if you know the things to which the code should not have access. Or you can do the opposite, and only grant access to certain things.

However, those policies are complicated, and may require more investment in time than you may wish to put forth.

score 0 · Answer 9 · answered May 10 '09 at 18:51

Not sure about how much effort you want to put into this thing but could you run Xen like the VPS web hosts out there?

http://www.xen.org/

This would allow full root access on their little piece of the server without compromising the other users or the base system.

Secure way to run other people code (sandbox) on my server?

9 Answers9

Linked

Related