Hacker News new | comments | show | ask | jobs | submit login

Execv'ing processes is OK as long as you don't fork:

    __import__("os").execv("/usr/bin/uname", ["uname", "-a"])
    Linux ip-10-196-3-111 2.6.32-amazon-xen-r3 #1 SMP Mon Jan 16 21:03:16 PST 2012 i686 GNU/Linux
As for the actual files, there are a few clues that a chroot is created for every request : /proc is not mounted, /etc is minimal (root + 1 user in passwd) and "ls -id /" returns a new inode number every time.

Yeah, we are using chroot (along with other things) to sandbox things on a per request basis.

- Tejas from Team PythonMonk (I built the sandboxing stuff)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact