-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Codejail cannot run without a user set #162
Comments
timmc-edx
added a commit
that referenced
this issue
Nov 29, 2023
This still doesn't work as described, as codejail's confinement still denies it the ability to create a temp directory, but it's closer. - Specify the use of `--copies` when setting up the sandbox virtualenv - Include the `user` argument to work around TMPDIR bug (#162) and link to the issue from a code comment - Use an unambiguous test for safe/usafe configuration (return the value using jailed globals, and bypass some issues with output streams) - Ensure that reading codejail checkout is permitted by apparmor Also: - Use the venv module rather than the virtualenv command, for better compatibility with varying system configurations - Don't bother activating virtualenv, just call its pip directly - Note the ordinarily-unsafe presence of find in the sudoers example - Use correct inline code syntax for rst
timmc-edx
added a commit
that referenced
this issue
Dec 5, 2023
This still doesn't work as described, as codejail's confinement still denies it the ability to create a temp directory, but it's closer. - Specify the use of `--copies` when setting up the sandbox virtualenv - Include the `user` argument to work around TMPDIR bug (#162) and link to the issue from a code comment - Use an unambiguous test for safe/usafe configuration (return the value using jailed globals, and bypass some issues with output streams) - Ensure that reading codejail checkout is permitted by apparmor Also: - Use the venv module rather than the virtualenv command, for better compatibility with varying system configurations - Don't bother activating virtualenv, just call its pip directly - Note the ordinarily-unsafe presence of find in the sudoers example - Use correct inline code syntax for rst
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If codejail is not configured with a user to run commands as, jailed code execution will fail. Effectively, this makes the
user
config option mandatory rather than optional.This probably hasn't come up much because most users would configure it with a user. One possibility is to just make the option mandatory.
Details:
jail_code.py
builds up a list to pass to subprocess.Popen. This is run as a command with arguments, rather than a shell command string. However, one of the arguments is'TMPDIR=tmp'
, a construction to set an environment variable for a process in Bash.TMPDIR=tmp python ...
works fine in Bash, butsubprocess.Popen(['TMPDIR=tmp', 'python', ...])
does not work because TMPDIR=tmp is not a valid executable.The reason it works with a user configured is that the command array will then first be prefixed with
['sudo', '-u', user]
. The sudo command interprets the remainder of its arguments as a shell string rather than a command and arguments.The text was updated successfully, but these errors were encountered: