Is there a comprehensive list of the security issues with running user-supplied Java code on a server? I'm already
using timeouts of 10 seconds
running code in a separate process with limited available memory
using SecurityMangager to prevent File and Network IO
running code under an account with extremely limited filesystem permissions
I'm running this on a FreeBSD server if that matters.
解决方案
Looks like a very good start - Security Manager is essential for sandboxing a whole bunch of other stuff you don't mention explicitly (like preventing the user from disabling the Security Manager, of course, and being able to invoke arbitrary commands, or use native code, or get the OS to exec files etc). I assume you are starting from zero permissions and just granting the explicit permissions needed.
Security Manager can't deal with denial-of-service through excessive resource usage, but your other controls probably address this (prevent network connections, control disk usage, timeouts to prevent CPU hogging - if that's what you meant by timeouts).
You say "extremely limited filesystem permissions" - hopefully this also includes disk quota? are you running multiple untrusted processes, and do they share disk space? Running out of file handles might be an issue (not sure how these are managed for a limited account).
There are still occasional JVM vulnerabilities, so the risk depends on what else is on the server, and what the consequences of a problem actually are (how bad is it if you have to wipe the server?).
1087
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
