[Edu-sig] chroot jail or sandbox?

Todd Whittaker todd@thewhittakers.org
Thu, 25 Apr 2002 06:57:46 -0400 (EDT) 

Louis,

I have implemented such a system, and the insecurity of it still gives me
the shivers.  But, I can assert that it surely makes grading laboratory
exercises **much** easier.

Permit me to make a few suggestions:

1. Have students authenticate to your system.  This will prevent the 
   general cracker audience from dropping in just any old program.  They'd 
   at least need to compromise a username/password pair first.

2. Don't trust any input that the user actually gives, such as a username 
   or lab number.  Look up their input in a database of permitted labs, 
   and then you can use your own data to construct paths for where to 
   place the uploaded files.

3. It's good to run it chrooted.  However, even this isn't enough unless 
   you're clever enough to put each individual submission into its own 
   jail, otherwise students can still write scripts to read each other's 
   files.  A better suggestion would be to set up a jail that can run a 
   Java virtual machine with a security policy file.  Then, use Jython to 
   compile the Python scripts into Java .class files, and execute those.

It's been my long term goal to rewrite what I have working, and provide it 
as GPL'd software, but that's a large number of weekend hacking sessions 
away.

Good luck!

-- 
Todd
 
-------------------------------------------------------------
 Todd A. Whittaker  mailto:todd@thewhittakers.org
                    http://www.thewhittakers.org/~todd/
-------------------------------------------------------------

On Wed, 24 Apr 2002, Louis Bertrand wrote:

> Hello,
> 
> I'm exploring the idea of having my students 
> submit their programming assignments through 
> a Web dropboxand having those assignments 
> automatically marked by a script that runs 
> the submitted program with pre-arranged 
> test data, catching any boo-boos with exceptions.
> 
> Here's the problem: this plan violates the secure 
> programming principle that you should never treat 
> data as code and I might be leaving myself 
> open for some serious malware.
> 
> Does anyone have any experience with restricting the 
> privileges of a running Python program?
> 
> As a first pass, I would:
>  * run Python in a chroot(2) jail
>  * load the jail with only the bare minimum to run Python
> and remove networking and os modules (at least).
>  * scan the submitted programs for usage of sys.path.
> 
> Any other suggestions?
> 
> Thanks
>  --Louis