Hacker News new | past | comments | ask | show | jobs | submit login

It seems a large part of the previous discussion surrounded sandboxing Python; anyone know where the author is with that? I find it hard to believe it would be very hard if you just embed the players game in a C++ engine.



Well, it turns out you can't sandbox Python at the language level. So now each user's code is run (a) in a separate process (b) in a chroot jail (c) as user nobody (d) with umask set to 0 (e) with a time limit of 300ms.


Have you experimented with using linux's cgroups for real security? (e.g. you can white/black-list specific syscalls, set time & memory limits etc, all at the kernel level)

Example sandbox: https://github.com/thestinger/playpen


I thought pypy had a sandboxed mode, did you get to experiment with it? if you did, what did you think?


pypy has a fairly advanced sandbox, and as a side effect your code will probably run faster.


Also, with network connections firewalled via iptables.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: