Changing the permission of a program in Linux

Question

My question is similar to this question, but i didn't get my answer.

I am trying to design a judge.

The users of the online judge system submit their source code, then the server program compiles and runs it. So the server program must keep the server safe.

And there are a lot of things a user can use to make changes to the server.

How can i change the permission of a program? So that compiled code won't be able to do anything except printing something!

P.S: searching for suspicioius words is not a good idea. For instance, The user can use the following command instead of word system in C++:

#define glue(a,b) a ## b
glue(sys,tem) ("rm *");  //DO NOT RUN THIS CODE

So actually user used the following code without using the word system:

system ("rm *"); //DO NOT RUN THIS CODE

Answer 1

The are two options for you: the one you are currently looking into - trying to make your compiler, aka the server process that runs the user provided source code detect "exploits". And that might be hard. If you allow users to send you c++ source code, there is a lot of things that become possible. I guess you would need some real c++ gurus in order to get that solution even "half way secure".

So, option two: you have to run that user-provided input within some sort of sandbox. Examples could be:

1. A docker container (but for sure: a non-privileged container; run by a user, not root)
2. A virtual machine

If you are serious about what you are doing, you would probably focus on option 2 first (because that gives you a lot of benefit, at medium cost); but you definitely want to look into option 1, too (because one could learn from that a lot).

Answer 2

You can run them in a chroot jail, with user id set to nobody or some nonce account if nobody actually can do something significant. (You can use su or sudo for this.) Or even in their own VM. Pipe the output into a file, and read it from your judge program.