Securely sandboxing for assessment in programming course
I have one Linode 2Gb running Debian on which I run my personal website, and a couple of websites of other people. Now, I teach programming at a university and I need to set up some form of automated assessment for students programs (in different languages). The University has some basic setup for that, but it doesn't work very well.
I first thought I could just set up qemu machines on the Linode, with a shared /usr partition image mounted read-only, but then I checked this thread:
(It is very important to me that my Linode doesn't hang, and that all other websites keep running as usual)
So I thought I could then set up chrooted environments, to which students will have no login access. They would submit code, which would be compiled or interpreted according to the language, and executed as non-root user by a daemon:
1. Student submits file to a web server. The file is put on that students' chroot.
2. Another program, chrooted in that same place, runs the program and puts the output in a file.
3. The output file is read by a program outside the chroot, and compared to an expected output.
4. The result is published on a webpage so the student has his feedback.
A single /usr directory would be used for all chroots, and mounted readonly, and each student would have his /home, /var and /tmp directories.
But I am not sure about the security implications of this. My questions then are:
Is it possible for a non-root user to break out of the root on a modern Linux kernel?
If I decide to go with the chroot solution, what should I do besides, of course, dropping root privileges as soon as possible?
Thanks a lot!
7 Replies
LXC = Chroot on steriods
Unfortunately, I am really short on money (in my country university teachers have low salaries), and setting up another Linode would be too expensive. I'll see what I can do witih one single Linode, though.
Except for the "upload file" part, everything else would be better on a local VM.
Why not setup your testing system in a VM on your local box using the free VirtualBox app, then have your students submit their projects (in a well defined Zip folder) to either your email address or your free public Dropbox folder.
You're burning resources on your public webserver (and opening up all kinds of security issues) for seemingly no good reason.
No matter what you do, there will probably still be opportunities for people you don't trust to cause trouble.
@John Henry Eden:
I came across a hacking website that uses a Linode for running exercises. It allows SSH access to anyone, so presumably they have something to prevent malicious activity. They have a website on GitHub: overthewire.org.
I'm sure the owner(s) of those servers don't store any sensitive information on them, and are prepared to wipe them at a moment's notice. The OP wants to do this on the same VM as an important web server, which is not a good idea.
If I were doing this, I'd get a cheap dedicated server from OVH and use VirtualBox and Vagrant. Each submission would trigger a script that initializes a Virtualbox VM using "vagrant up", runs the code inside the VM, then collects the output and nukes the VM with "vagrant destroy". If it's setup correctly, the only way a malicious student could cause trouble is by finding a VM escape exploit in Virtualbox, which would be quite an achievement. Should be fairly easy to setup if you're familiar with Vagrant, though preventing excess resource consumption may take some work.