-
Notifications
You must be signed in to change notification settings - Fork 4
Security
Make sure that you are using Sandbox for C/C++ and you have enabled Java Security Manager (Java Policy) for Java. You can read more about sandboxing here.
Shield is not a real protection, but is more than nothing! Make sure that you have enabled Shield for C, C++ and Python. You can read more about Shield here.
It is very important to run submitted codes as a non-privileged user - a user who does not have access to the network, is not able to write any files, and is not able to create lots of processes.
I assume that PHP is running as user www-data on your server.
Create a new user restricted_user and set a password for it.
Run sudo visudo and add this line at the end of sudoers file:
www-data ALL=(restricted_user) NOPASSWD: ALL
In tester/runcode.sh change
if $TIMEOUT_EXISTS; then
timeout -s9 $((TIMELIMITINT*2)) $CMD <$IN >out 2>err
else
$CMD <$IN >out 2>err
fito
if $TIMEOUT_EXISTS; then
sudo -u restricted_user timeout -s9 $((TIMELIMITINT*2)) $CMD <$IN >out 2>err
else
sudo -u restricted_user $CMD <$IN >out 2>err
fiAnd uncomment this line:
sudo -u restricted_user pkill -9 -u restricted_userrestricted_user should not be able to access network. You can disable networking for a user in Linux using iptables.
Read more about this here and here.
After disabling networking, test it by running ping as restricted_user.
Just make sure that no file or directory is writable by restricted_user. Check your file and directory permissions.
Limit number of processes of restricted_user.
Open /etc/security/limits.conf and add these lines:
restricted_user soft nproc 3
restricted_user hard nproc 5
I use 3, 5. You can use different soft and hard limits.
Use a server for web interface and handling web requests and use another server for running submitted codes. This decreases the risk of running submitted codes. You need to change MySui Online Judge's source code to achieve this. Maybe I add this feature in future.