On Wed, Jun 13, 2001 at 09:24:02AM +0300, Alex Popa wrote:

> The step I am worried about is the compiling, since I do need to have
> the include files and libraries available. The output should be a
> statically linked file, which would run in a jail (separate one per
> source file) which contains nothing more than the compiled binary, and
> the input file. The evaluation program will run in a separate jail,
> given only the output file from the program, and maybe an "expected
> results" file. I plan on using ipfw to block all traffic on that
> machine (will be a dedicated machine) not coming from a few trusted
> uids (like root and the evaluation process). I also plan setting up
> resource limits, and not running more evaluation jobs at the same time
> (ruins timing).

You could do this step in a jail if you wanted to. If you're using
user-supplied makefiles, then they can run arbitrary commands. If
you're using a fixed set of compiler invocations and the standard
toolchain then it should probably be okay (I don't know of any ways to
cause the compiler toolchain to execute arbitrary commands during
compilation).

Kris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7J8cBWry0BWjoQKURAnVCAJwKwwzjdodfx89BqNVWpeuVy+vvWgCg7/CA
ylR1W9vKquVUuo9DgSk8cxg=
=Dj5c
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]