I am writing an online coding jude site like spoj.pl and i am creating a jail for compiling and executing the program. I wrote a script which takes c/c++ source code , compile and run the code. I need to execute this program in a jail created by debootstrap but i have to restrict permissions to my script and allow the binary to read only the - input/output files present in the original /home/ubuntu system.
Is it possible ?
Linux system:
/home/ubuntu:
This folder has
online_judge/scripts.py ...
input_output/input*.txt,output*.txt
/Jail
submissions/code.c
submissions/code.cpp
I need to invoke scripts.py of /home/ubuntu in the jail with restricted jail user ,compile the code and run the binary. The Jail user should never be able to access any of the /home/ubuntu files except input_output/input*txt which i can give then execute permission
You said that scripts.py is located in /home/ubuntu/online_judge, which is NOT in the /Jail. So, either you have the jail user restricted to /Jail or not. If the restricted jail user should execute online_judge/scripts.py you'd have to make it accessible somewhere under /Jail.
Hardlinks may help, e.g. "ln /home/ubuntu/online_judge/scripts.py /Jail/scripts.py", now the restricted jail user has access to scripts.py via /Jail/scripts.py. Be sure to restrict write-access to that file, otherwise s/he would modify both "copies".