SAUCE icon indicating copy to clipboard operation
SAUCE copied to clipboard
verified publisher icon moschlar

Code Execution Sandbox

Open danghvu opened this issue 12 years ago • 18 comments

TimeoutProcess() should execute the program under a lower / different privilege user. At the moment the process shares the same privilege as the main web app.

Consider the case when one user can easily submit something like:

  • system("rm -rf ~/*") ( in C )
  • os.system("rm -rf ~/*") (python)

danghvu avatar Jan 26 '13 21:01 danghvu

Of course it should! Do you have an idea how to do that without the parent process running with root privileges? All concepts using setuid or similar don't seem to work without being root.

Maybe some kind of passwordless sudo...

moschlar avatar Jan 26 '13 21:01 moschlar

  • http://www.sudo.ws/sudoers.man.html#runas_spec

moschlar avatar Jan 26 '13 21:01 moschlar

I think there is no easy solution like switching the user.. it can be more dangerous involving root privilege. The only solution in my head now is to implement a code execution service running under a different user / environment. The web app must be able to talk to that service somehow.

danghvu avatar Jan 26 '13 22:01 danghvu

I thought of that too, it would be especially nice, because it would allow us to even use different machines for the web app and the runner environment... But that would require some deeper changes... :expressionless: I think something (optional) with sudo would be more easy to implement right now.

(In fact, I did mention these issues along with some more or less suitable solutions in my bachelors thesis... But there was no time do it yet - and in fact, it wasn't needed until now - no student ever tried anything remotely like that :innocent: )

moschlar avatar Jan 26 '13 22:01 moschlar

:) I guess just for using in our class room would be no problem at all. I want to put it in here as an issue so that someone who wants to use it might take note, or maybe some smart people can help to find an intelligent solution (it's open source after all ;)).

danghvu avatar Jan 26 '13 22:01 danghvu

:ok_hand:

moschlar avatar Jan 26 '13 22:01 moschlar

That's what we need: https://httpd.apache.org/docs/2.2/suexec.html

moschlar avatar Feb 05 '13 17:02 moschlar

Since scripts can't be executed setuid with their shebangs, this part needed to be written in C. sauce/bin/suexec.c now contains a rip-off from Apache, stripped down to a bare minimum, leaving out things that I didn't understand. Now this needs to be tested and the proper calling be implemented in sauce.lib.runner... All optional, of course to allow SAUCE to be ran in userspace, too...

moschlar avatar Feb 19 '13 16:02 moschlar

Ahahahaha.... Since suexec executes the program under a different user account, the killing of the process on timeout doesn't work, of course...

moschlar avatar Feb 19 '13 16:02 moschlar

suexec use the setuid and setgid stuff.. Does that require root permission ?

danghvu avatar Feb 19 '13 20:02 danghvu

Yep! You can only use those system calls as root. So the suexec binary itself has to be owned be root and needs the setuid bit in its permissions. Then within suexec, lots of checks are performed and then setgid/initgroups/setuid are used to drop permissions back to a different user than the one that started suexec.

moschlar avatar Feb 19 '13 20:02 moschlar

Sounds like a good solution :+1: (may not be portable though - but that's the least to worry now). The only thing remaining is to make the "suexec" binary secured and bug free. Regarding the timeout, can't you just use suexec again to kill the process ?

danghvu avatar Feb 19 '13 20:02 danghvu

You can also implement a service (as I suggested before) like this https://gist.github.com/danghvu/1d62e08854425d7b51eb It's event-driven by twisted, and you can send command and receive result via tcp socket. The advantage with this approach is it's more portable, you do not need root on your deployment server (maybe only need two different users: one for the sauce and one for service), you can even use multiple servers to execute code e.g. one server for C, one for CUDA, one for assembly.

danghvu avatar Feb 21 '13 09:02 danghvu

Oh, that's simpler than I thought. :D But to support multiple worker servers, you'd need to have different ports and the webapp would need to know the addresses of all its workes... I thought something like Celery would probably be more suitable because it features all of that already...

moschlar avatar Feb 21 '13 10:02 moschlar

But first, I'm gonna finish the suexec/timeout wrapper - I like it when you have different options of doing it in the end! ;)

moschlar avatar Feb 21 '13 10:02 moschlar

I opened a separate bug for the distributed working issue: #141

moschlar avatar Feb 21 '13 10:02 moschlar

I dont think the port and address may cause any problem, can easily use a config file for that. And ofc my code is only for suggestion and proof-of-concept :) you are the boss  here to decide !

Sent from Mobile. Please excuse my abbreviation.

-------- Original message -------- From: Moritz Schlarb [email protected] Date: 21/02/2013 11:01 (GMT+01:00) To: moschlar/SAUCE [email protected] Cc: Hoang-Vu Dang [email protected] Subject: Re: [SAUCE] Code Execution Sandbox (#130)

Oh, that's simpler than I thought. :D But to support multiple worker servers, you'd need to have different ports and the webapp would need to know the addresses of all its workes... I thought something like Celery would probably be more suitable because it features all of that already...

— Reply to this email directly or view it on GitHub.

danghvu avatar Feb 21 '13 12:02 danghvu

https://gist.github.com/moschlar/9e5bc8fd6a501fdb16cf

moschlar avatar Feb 24 '13 13:02 moschlar