Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Codejail cannot run without a user set #162

Open
timmc-edx opened this issue Nov 22, 2023 · 0 comments
Open

Codejail cannot run without a user set #162

timmc-edx opened this issue Nov 22, 2023 · 0 comments

Comments

@timmc-edx
Copy link
Contributor

If codejail is not configured with a user to run commands as, jailed code execution will fail. Effectively, this makes the user config option mandatory rather than optional.

This probably hasn't come up much because most users would configure it with a user. One possibility is to just make the option mandatory.

Details:

jail_code.py builds up a list to pass to subprocess.Popen. This is run as a command with arguments, rather than a shell command string. However, one of the arguments is 'TMPDIR=tmp', a construction to set an environment variable for a process in Bash. TMPDIR=tmp python ... works fine in Bash, but subprocess.Popen(['TMPDIR=tmp', 'python', ...]) does not work because TMPDIR=tmp is not a valid executable.

The reason it works with a user configured is that the command array will then first be prefixed with ['sudo', '-u', user]. The sudo command interprets the remainder of its arguments as a shell string rather than a command and arguments.
timmc-edx added a commit that referenced this issue Nov 29, 2023
@timmc-edx
docs: Various fixes to codejail setup instructions (copies, user)
2754165 
This still doesn't work as described, as codejail's confinement still
denies it the ability to create a temp directory, but it's closer.

- Specify the use of `--copies` when setting up the sandbox virtualenv
- Include the `user` argument to work around TMPDIR bug
  (#162) and link to the issue
  from a code comment
- Use an unambiguous test for safe/usafe configuration (return the value
  using jailed globals, and bypass some issues with output streams)
- Ensure that reading codejail checkout is permitted by apparmor

Also:

- Use the venv module rather than the virtualenv command, for better
  compatibility with varying system configurations
- Don't bother activating virtualenv, just call its pip directly
- Note the ordinarily-unsafe presence of find in the sudoers example
- Use correct inline code syntax for rst
@timmc-edx timmc-edx mentioned this issue Nov 29, 2023
Merged
timmc-edx added a commit that referenced this issue Dec 5, 2023
@timmc-edx
docs: Various fixes to codejail setup instructions (copies, user) (#164)
96abed1 
This still doesn't work as described, as codejail's confinement still
denies it the ability to create a temp directory, but it's closer.

- Specify the use of `--copies` when setting up the sandbox virtualenv
- Include the `user` argument to work around TMPDIR bug
  (#162) and link to the issue
  from a code comment
- Use an unambiguous test for safe/usafe configuration (return the value
  using jailed globals, and bypass some issues with output streams)
- Ensure that reading codejail checkout is permitted by apparmor

Also:

- Use the venv module rather than the virtualenv command, for better
  compatibility with varying system configurations
- Don't bother activating virtualenv, just call its pip directly
- Note the ordinarily-unsafe presence of find in the sudoers example
- Use correct inline code syntax for rst
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@timmc-edx