Run student code

From techdocs
Jump to navigation Jump to search

[run_student_code] allows code to be executed with limited resources and privileges. It is intended to be used for testing & marking of student code.

The code is run as a subordinate uid/gid and will not have read/write access to files owned by the executing user unless they are publically readable/writeable. 

$ run_student_code id
uid=65534(nobody) gid=60001(nobody) groups=60001(nobody)
$ ls ~|wc -l
85
$ run_student_code ls ~
ls: cannot open directory '/import/adams/1/andrewt': Permission denied

If a pathname is supplied via --chown it is recursively chowned to the subordinate uid before running the command and chowned back to the user's primary uid afterwards. The pathname must be on a local filesystem, not NFS

This allows execution in a temporary directory with any files created by the command chowned back to the user. 

$ temp_dir=$(mktemp -d)
$ cd $temp_dir
$ printf '#include <stdio.h>\nint main(void) {printf("Hello Andrew\\n");}' >a.c
$ ls -l a.c
-rw-r--r-- 1 andrewt andrewt 61 Jun 15 20:05 a.c
$ run_student_code --chown $temp_dir sh -c '
id
clang a.c
./a.out >output
ls -l *
'
uid=65534(nobody) gid=60001(nobody) groups=60001(nobody)
-rw-r--r-- 1 nobody nobody    61 Jun 16 08:29 a.c
-rwxr-xr-x 1 nobody nobody 16528 Jun 16 08:30 a.out
-rw-r--r-- 1 nobody nobody    13 Jun 16 08:30 output
$ ls -l *
-rw-r--r-- 1 andrewt andrewt    61 Jun 16 08:29 a.c
-rwxr-xr-x 1 andrewt andrewt 16528 Jun 16 08:30 a.out
-rw-r--r-- 1 andrewt andrewt    13 Jun 16 08:30 output

By default the network namespace is unshared before running the user's primary uid If network access is required, this can be disabled with --allow-network-access 

$ run_student_code sh -c 'curl -sL https://deb.debian.org/debian/dists/stable/InRelease|wc -l'
0
$ run_student_code --allow-network-access sh -c 'curl -sL https://deb.debian.org/debian/dists/stable/InRelease|wc -l'
1258

The directories /home, /import, /export and /web can be optionally hidden with the option --hide_home_directories: 

$ run_student_code ls /home/cs1511/public_html/index.html
/home/cs1511/public_html/index.html
$ run_student_code --hide-home-directories ls /home/cs1511/public_html/index.html
ls: cannot access '/home/cs1511/public_html/index.html': Permission denied

By default the command is run a cgroup limited to 128 processes A different limit can be specified with -u Note this is different to ulimit -u which species a (less useful) per user limit 


$ run_student_code -u 5 sh -c 'for i in $(seq 1 10); do sleep 10 & echo $i; done'
1
2
3
4
sh: 0: Cannot fork

These resource limits are specified by default. 

max_core_size=0
max_file_size_bytes=8192000
max_rss_bytes=100000000
max_open_files=256
max_stack_bytes=32000000
max_cpu_seconds=60

Alternative values can be set using the same flags as used by bash ulimit

limitations

run_student_code should not be relied on to sandbox malicious code.

Retrieved from ‘https://techdocs.cseunsw.tech/mediawiki/index.php?title=Run_student_code&oldid=216