I want to make a web service that run other people code locally... Naturally, I want to limit their code access to certain "sandbox" directory, and that they wont be able to connect to other parts of my server (DB, main webserver, etc)

Whats the best way to do it?

Run VMware/Virtualbox:

(+) I guess it's as secure as it gets.. even if someone manage to "hack".. they only hack the guest machine

(+) can limit the cpu & memory the process uses

(+) easy to setup.. just create the VM

(-) harder to "connect" the sandbox directory from the host to the guest

(-) wasting extra memory and cpu for managing the VM

Run underprivileged user:

(+) doesnt waste extra resources

(+) sandbox directory is just a plain directory

(?) cant limit cpu and memory?

(?) dont know if it's secure enough...

Any other way?

Server running Fedora Core 8, the "other" codes written in Java & C++