Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.security > #49

Re: Running untrusted code inside a chroot/iptables jail

From NoStop <nostop@nonet.com>
Subject Re: Running untrusted code inside a chroot/iptables jail
Newsgroups alt.os.linux.ubuntu, comp.os.linux.misc, comp.lang.perl.misc, comp.lang.perl.modules, comp.os.linux.security
References <LKydnXfq5rwxK8bTnZ2dnUVZ_tCdnZ2d@giganews.com>
Followup-To alt.os.linux.ubuntu
Message-ID <J7dcq.14719$9w.11368@newsfe18.iad> (permalink)
Date 2011-09-14 19:09 -0700

Cross-posted to 5 groups.

Followups directed to: alt.os.linux.ubuntu

Show all headers | View raw

Ignoramus4738 wrote:

> I have a system where users can write untrusted code in perl (algebra
> calculators for algebra.com).
> 
> They used to be able to call one another, which, I thought, was
> cool.
> 
> I used to use the Safe.pm module to run them. Unfortunately, something
> changed in Safe.pm and I can no longer have those untrusted pieces of
> code call each other, as Safe.pm refuses to do so and says "require
> trapped".
> 
> This leads to solvers not working and users leaving those nonworking
> pages.
> 
> I want to re-architect the whole thing and go away from Safe.pm
> entirely.
> 
> My plan is to do the following:
> 
> 1) Run a calculation daemon as user "algebracalc".
> 
> 2) It would listen on localhost only, to queries from my mod_perl
>    (CGI) scripts.
> 
> 3) It would load all required perl modules and open a MySQL connection
> with a MySQL user 'algebracalc", which only has a SELECT privilege on
> only the one table that it needs (table with source code of said
> calculators).
> 
> The untrusted code will have access to this MySQL handle, though not
> directly through any variables, but it will inherit it and it will be
> accessible.
> 
> 4) Upon receiving an internal connection, the daemon would
>   a) Fork
>   b)_Chroot to a "chroot jail". So, the code will be executed in a
>      chroot jail.
> 
> 5) Using iptables, user "algebracalc" will NOT be allowed to make any
> network connections, to localhost or any other IP address, or to use UDP.
> 
> 6) Code will have some ulimits set to not abuse my memory or CPU.
> 
> Items 1-6 ensure, in my mind, that the unauthorized code will not be
> able to abuse my system in any way, such as by sending spams,
> accessing unauthorized files, etc.
> 
> What have I missed?
> 
> Thanks
> 
> i

How will it know when the bread is toasted enough to eject it?

Cheers.

Back to comp.os.linux.security | Previous | NextPrevious in thread | Find similar

Thread

Running untrusted code inside a chroot/iptables jail Ignoramus4738 <ignoramus4738@NOSPAM.4738.invalid> - 2011-08-29 10:56 -0500
  Re: Running untrusted code inside a chroot/iptables jail NoStop <nostop@nonet.com> - 2011-09-14 19:09 -0700

csiph-web