Can I limit a process's access to specified files and stdout only without root?
I want to setup a server for students to upload C code. The server compiles C code, run the binary and shows output to students.
Now I am having security concern. Students can upload any code, but I want them can access 2 specified files (1 for read and 1 for write with fopen) and stdout only. I don't want them to access Internet or any other files on the system.
The server I have is containerized Linux, and I don't have root.
I have thought about these solutions:
chrootorfirejail. (I don't have server's root. It's containerized, setting euid is not allowed)use some
gccoptions, or.hfiles or C library limit. (I have little knowledge about compiling. Theorially people can do anything with C not using any header files or library)use something like
straceorptraceto monitor the process and terminate it if it want to do what I don't want it to.
Is it possible to do that?
compiling c access-control jails
edited Jan 22 at 12:52
Rui F Ribeiro
39.7k1479132
asked Jan 22 at 12:13
Bob JohnsonBob Johnson
746
add a comment |
I want to setup a server for students to upload C code. The server compiles C code, run the binary and shows output to students.
Now I am having security concern. Students can upload any code, but I want them can access 2 specified files (1 for read and 1 for write with fopen) and stdout only. I don't want them to access Internet or any other files on the system.
The server I have is containerized Linux, and I don't have root.
I have thought about these solutions:
chrootorfirejail. (I don't have server's root. It's containerized, setting euid is not allowed)use some
gccoptions, or.hfiles or C library limit. (I have little knowledge about compiling. Theorially people can do anything with C not using any header files or library)use something like
straceorptraceto monitor the process and terminate it if it want to do what I don't want it to.
Is it possible to do that?
compiling c access-control jails
edited Jan 22 at 12:52
Rui F Ribeiro
39.7k1479132
asked Jan 22 at 12:13
Bob JohnsonBob Johnson
746
add a comment |
I want to setup a server for students to upload C code. The server compiles C code, run the binary and shows output to students.
Now I am having security concern. Students can upload any code, but I want them can access 2 specified files (1 for read and 1 for write with fopen) and stdout only. I don't want them to access Internet or any other files on the system.
The server I have is containerized Linux, and I don't have root.
I have thought about these solutions:
chrootorfirejail. (I don't have server's root. It's containerized, setting euid is not allowed)use some
gccoptions, or.hfiles or C library limit. (I have little knowledge about compiling. Theorially people can do anything with C not using any header files or library)use something like
straceorptraceto monitor the process and terminate it if it want to do what I don't want it to.
Is it possible to do that?
compiling c access-control jails
edited Jan 22 at 12:52
Rui F Ribeiro
39.7k1479132
asked Jan 22 at 12:13
Bob JohnsonBob Johnson
746
I want to setup a server for students to upload C code. The server compiles C code, run the binary and shows output to students.
Now I am having security concern. Students can upload any code, but I want them can access 2 specified files (1 for read and 1 for write with fopen) and stdout only. I don't want them to access Internet or any other files on the system.
The server I have is containerized Linux, and I don't have root.
I have thought about these solutions:
chrootorfirejail. (I don't have server's root. It's containerized, setting euid is not allowed)use some
gccoptions, or.hfiles or C library limit. (I have little knowledge about compiling. Theorially people can do anything with C not using any header files or library)use something like
straceorptraceto monitor the process and terminate it if it want to do what I don't want it to.
Is it possible to do that?
compiling c access-control jails
compiling c access-control jails
edited Jan 22 at 12:52
Rui F Ribeiro
39.7k1479132
asked Jan 22 at 12:13
Bob JohnsonBob Johnson
746
edited Jan 22 at 12:52
Rui F Ribeiro
39.7k1479132
asked Jan 22 at 12:13
Bob JohnsonBob Johnson
746
edited Jan 22 at 12:52
Rui F Ribeiro
39.7k1479132
edited Jan 22 at 12:52
Rui F Ribeiro
39.7k1479132
edited Jan 22 at 12:52
Rui F Ribeiro
39.7k1479132
39.7k1479132
asked Jan 22 at 12:13
Bob JohnsonBob Johnson
746
asked Jan 22 at 12:13
Bob JohnsonBob Johnson
746
asked Jan 22 at 12:13
Bob JohnsonBob Johnson
746
746
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f495964%2fcan-i-limit-a-processs-access-to-specified-files-and-stdout-only-without-root%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f495964%2fcan-i-limit-a-processs-access-to-specified-files-and-stdout-only-without-root%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
