Forum Thread: Linux SandBox

Linux SandBox

Hi, I was wondering if you could give me a hand with choosing a linux sandbox

1. I want it to work without recompiling kernel

2. I need it to block all networking and file I/O ( the best option would be if I could name explicitly some files that would be "reachable" )

Thanks for your help

13 Responses

I think most "beginner friendly" linux distros work without touching the kernel at all, correct me if I'm mistaken. Also I believe many linux distros come with some sort of firewall protection and permissions commands available to you although they would basically all require manual setup of some kind.. Hopefully that is helpful?

A "beginner friendly" distro I am fond of is Mint.

Thanks for the tip. But I need to run programs which will be created by many different people (I mean anyone) so I would prefer some completely isolated enviroment.

Why not roll a virtual environment. Look into Virtualbox?

Advantages: You end up with a fully funtional OS inside your host OS. Apps inside of it will not be able to reach the host OS, so you can test all you want inside of it. Plus, you get the options of using snapshots so if you end up ruining the hosted OS, you just reroll the snapshot and start afresh.

Thanks for your advice, but in this case it would be "overkill". I wanna use as much performance as possible.

Understandable, but in that case, I will be of no further use to you im afraid.

However, worst case scenario - consider a very low resource consumption distro on a VM. Today's machines should be able to handle heavy loads in vm even for what you want to do.

Create an account on the box you want to use solely used for sandboxing with absolutely no privelages, and then very strictly allow certain things in a beginner friendly version of linux? I think thats about as good as you can do.. Perhaps partition the hard drive to keep spaces totally seperated? I'm not sure, I feel like things are almost getting silly here. If you want something that is a physical space, runs linux… Why do you want this? What is your goal with this? Perhaps these questions will allow for more accurate help.

I want to create a server, where anyone would be able to upload his source code. Then server would run it to see if it's working properly. I want to use it to check programs created by various people.

That's why I want an isolated environment. Because someone might upload some malicious code or use the server for bad purposes, otherwise I would just run uploaded programs as unpriviledged user. But I want it to be as much secure as possible. 

That's a strange service you're trying to offer…. How could it possibly know if code worked properly? It could check if it crashed or not, but running the code themselves would tell them that.. 

As for keeping a handle on potentially malicious code… You will never be secure. If you want to be truly safe, stop using a computer with a connection to the internet, or any other network. If you want to not only use the internet but allow others to put run code on the machine… To do this on your own computer is like asking to get rooted, or at the very least misused somehow. 

If you had a physically separate machine the best tradeoff I can imagine is a computer that only allows connections through the ports that send and receive code and nothing else. That way the most they can do is mess with the box itself, but unless you start limiting the functionality of what the programs themselves can do on the machine there is really nothing they can't do. If you do limit the functionality of programs running on the machine somehow, you make the service as I imagine it basically useless. 

I guess your answer makes one of my previous questions more prevelant: Why do you want this? (Now that we know what "this" is specifically)

I am assuming you don't know much about *nix(I apologize in advance if I am wrong), and this response may be above your current skill level however my advice to you is to run a BSD box with the linux emulation layer installed. The best thing you could do is install PC-BSD on your target hardware machine, use the warden to create jails for each machine you intend to give users access to, you will then need to link your dev folder inside the jails so every machine has access to the files. I say PC-BSD only because it is much more user friendly and Linux users should feel at home on it(mostly).

Running jails is a form of file based virtualization that can be automated using scripts since everything is really a file.  This creates virtual machines that can be accessed through ssh or telnet on a per IP basis and you can give the users root access without fear of destroying you main machine, you can even mount the root partition as RO(jails) and configure how each jail will operate within the host, and set the secure level of the host to 2 to prevent the host machine from modifying its own files for more security.  Jails do have downfalls however, you cannot directly access sockets on the host (due to the nature of jails) so some services take extra work/hacking to get started and running properly within the jail. And modifying the secure level of a BSD machine will actually reduce its own ability to write to the filesystem and perform but I believe this will solve your problem.  You can read more about BSD jails here and there are numerous scripts on the net to help automate their creation.  I hope this helps and happy reading :-)

Carl, thanks for your help. I'll take a look at it to find out more about it. Because you're right I still don't know everything :)

Bird andBear: If you want to know how I'm gonna find out whether the program works correctly or not: I'll simply create a program which will be doing the same task. Then I'll generate some random input and give it to my and user's programs. And finally I'll just compare the outputs of both programs and see if the results are the same.

"I'll simply create a program which will be doing the same task." Manually?

If automatically.. You are a bit beyond me in programming skill for sure, because I can't think of a good way to do that.

Of course manually. I could for example wait for X people to finish their programs and then declare the most common output as the correct one, but I think that coding the task by myself is the best way to go.

That sounds like a lot of work, and a strange service, but at least I get what you're doing now :P

As far as actually doing this, sounds like Carl's idea is probably the most like what you want. Good luck!

Share Your Thoughts

  • Hot
  • Active