gcc sandboxing tool - AppArmor / CHROOT jail on Ubuntu 12.04
Posted
by
StuR
on Server Fault
See other posts from Server Fault
or by StuR
Published on 2012-11-22T15:18:50Z
Indexed on
2012/11/22
17:01 UTC
Read the original article
Hit count: 299
We have a Node application as the front end to a C++ sandboxing tool, which compiles code using gcc and outputs the result to the browser.
e.g.
exec("gcc -o /tmp/test /tmp/test.cpp",
function (error, stdout, stderr) {
if(!stderr) {
execFile('/tmp/test', function(error, stdout, stderr) {});
}
});
This works fine.
However, as you can imagine this is a security nightmare if it were to be made public - so I was thinking of two options to protect my stack:
1) A CHROOT jail - but this in itself wouldn't be enough to prevent directory traversal / file access.
2) AppArmor ?
So my question is really, how could I protect my stack from any nasties that could come from:
A) Compiling unknown code using gcc
B) Executing the compiled code
© Server Fault or respective owner