gcc sandboxing tool - AppArmor / CHROOT jail on Ubuntu 12.04

Posted by StuR on Server Fault See other posts from Server Fault or by StuR
Published on 2012-11-22T15:18:50Z Indexed on 2012/11/22 17:01 UTC
Read the original article Hit count: 261

Filed under:

ubuntu-12.04

|

chroot

|

node.js

|

gcc

|

apparmor

We have a Node application as the front end to a C++ sandboxing tool, which compiles code using gcc and outputs the result to the browser.

e.g.

  exec("gcc -o /tmp/test /tmp/test.cpp", 
    function (error, stdout, stderr) {
      if(!stderr) {
        execFile('/tmp/test', function(error, stdout, stderr) {});
}
});

This works fine.

However, as you can imagine this is a security nightmare if it were to be made public - so I was thinking of two options to protect my stack:

1) A CHROOT jail - but this in itself wouldn't be enough to prevent directory traversal / file access.

2) AppArmor ?

So my question is really, how could I protect my stack from any nasties that could come from:

A) Compiling unknown code using gcc

B) Executing the compiled code

© Server Fault or respective owner

Related posts about ubuntu-12.04

How to Upgrade Ubuntu 12.04.2 to Ubuntu 12.04.3

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I am currently using Ubuntu 12.04.2 32bit. I installed it using LiveCD. Tomorrow, 23rd August 2013,Ubuntu 12.04.3 is released. I want to upgrade from Ubuntu 12.04.2 to Ubuntu 12.04.3 without using any LiveCD. Is it possible? If so please suggest me how can I do. Actually while using Ubuntu 12.04… >>> More
Download the ‘Getting Started with Ubuntu 12.04' Manual for Free

as seen on How to geek - Search for 'How to geek'
If you or someone you know is new to Ubuntu, then the release of this free 143 page manual for the latest LTS edition of Ubuntu is the perfect download. The manual will take you from installing Ubuntu 12.04 all the way through to trouble-shooting the system if you run into problems. On the downloads… >>> More
Ubuntu 12.04.1 Radeon 9550 stuck with 640x480, works in Geexbox

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I am a complete new user trying to set up Ubuntu on an old desktop. It has an AGP Radeon 9550 graphics card. I am running Ubuntu from a USB drive with persistence as the PC currently has no hard drive I seem to be stuck in 640*480 mode. The desktop itself is larger, but the monitor display is stuck… >>> More
Ubuntu 12.04.1 desktop monitor Out of Range

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I know this question has been asked many-a-times, but I cant seem to get a definate answer to it. I am running Ubuntu 12.04.1 LTS on my HP Pavillion a6 109n PC. Processor is a AMD Athlon 64 x2 Dual core Processor. Everytime I boot up my desktop, it runs BIOS, then it boots up Linux. After about… >>> More
Key-Based SSH Permission denied (publickey) Ubuntu 12-04

as seen on Server Fault - Search for 'Server Fault'
I have configured sshd to accept key-based ssh logins with LogLevel on DEBUG, and uploaded my public key to ~/.ssh.authorized_keys, where permissions are set as: 700 ~/.ssh 600 ~/.ssh/authorized_keys From root, I can su - USERNAME. From the client I get Permission denied (publicly). From the server… >>> More

Related posts about chroot

Chroot within chroot

as seen on Server Fault - Search for 'Server Fault'
I'm using Centos 5.2 and when I try to make a chroot jail using the script, I get: Copying libraries for /usr/bin/scp. (0x00007fff17bfe000) cp: cannot stat `(0x00007fff17bfe000)': No such file or directory ... I am currently using on a rackspace cloud server so i suspect that these dependencies… >>> More
start apache2 in chroot environment

as seen on Server Fault - Search for 'Server Fault'
This is my first time I am trying to install Apache2 HTTP server in a chroot environment. That's why i decided to follow this procedure : http://www.symantec.com/connect/articles/securing-apache-2-step-step my web server start with successful : root@ubuntu:/usr/local/apache2/bin/apachectl start [Tue… >>> More
OpenSSH SFTP server with chroot() + user with chroot exception

as seen on Server Fault - Search for 'Server Fault'
I am currently setting up an SFTP server but there is one detail I can't seem to figure out. When I add a user, I would like him to connect using his client and be able to write in his "root dir" right away. My Match case for the SFTP-users group currently has ChrootDirectory set as "/home/%u",… >>> More
Chroot into a 32 bit version of ubuntu from a 64 bit host

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I have a piece of software that only runs on 32 bit linux (Xilinx webPack 10.1, apperently it 'has' to be the old version because that's the latest one compatible with their boards), anyway, this version is only compatible with 32 bit linux. So, I head off to this page to see what I can do: https://help… >>> More
Chroot with CentOS 5.3 + openssh 4.3p2

as seen on Server Fault - Search for 'Server Fault'
OS: CentOS 5.3, with openssh 4.3p2 Trying to set 'chroot' in ssh shell, but openssh version prior to 4.8 doesn't take below settings. yum update openssh open up to version 4.3 which is quite old. Doesn't CentOS support openssh 4.8 or up? If that's the case, how to set chroot with openssh 4.3? or… >>> More