Footnote to history: I liked codepad so much when I first saw it on HN back in 2008, I tracked down the guy who made it (Steve Hazel/sah) and made him my co-founder! :-)
How does it feel to be the author of a goddamn resume requirement? :-P
Until then, we've got work to do!
Now there's one for the bucket list...
I've built something similar for my upcoming programmer-testing service at http://codeboff.in and this is one of the precautions I've taken in my own sandboxing arrangement.
In fact it looks like '/etc/passwd' is readable to the compiler after all.
A decoy /etc/passwd is a bit less plausible to me.
If I had to build a compile-and-run sandbox, I'd also look into SELinux or AppArmor. However, blocking reads to /etc/passwd will disable getpwent(), which innocent programs may occasionally use, and with shadow passwords, /etc/passwd should not be sensitive anyway.
With AppArmor, at least, it is perfectly possible to assign different policies to the same program. Policies are applied to programs identified by pathname so all one needs to do to sandbox, for instance, /usr/bin/gcc:
1. ln /usr/bin/gcc-4.4 ~/sandbox/compilers/gcc
2. Create and enforce an apparmor policy for ~/sandbox/compilers/gcc
3. Remember to use only ~/sandbox/compilers/gcc for untrusted code.
I do this (among other things) for my platform, and given that I only require user-submitted code to solve one of a limited set of algorithmic challenges, I can get away with blocking access to /etc/passwd (and everything else but a restricted whitelist).
I'd have to learn SOAP first, but I've been meaning to do a website similar to tryruby.com for one of my projects. This looks like it could definitely help.