Correct and secure way to have PHP execute a shell script

In my opinion, a good and simple way to get a secure environment to compile and run scripts is an LXC container.

You say you cannot use virtualization but technically it is just process isolation. Like a chroot on steroids. I have a container host that is itself a VM and I've got no issue with it so far. Really LXC is not virtualization and should suit your needs.

Here are some intro links :

• https://linuxcontainers.org/
• https://en.wikipedia.org/wiki/LXC
• https://help.ubuntu.com/12.04/serverguide/lxc.html

For example, you can create a template container per game with all the required libraries to compile and run the uploaded code. This template can be secured and limited as you want for cpu, ram and disk IO. I think it is also a good idea to turn off the network either with lxc.network.flag = down or lxc.network.type = empty

Then, when the code is uploaded, you can clone the template container, put the code in it and have it build and run the code.

All this would be done by a shell script called from php, or by a succession of php system calls but that does not sounds good.

Using unprivileged containers is a must for the kind of stuff you want to do as it provides an additional security layer.

I recommend using Ubuntu 14.04 as the LXC host. I think that a tweaked busybox template with the proper tools to compile and run the code is the lightest container you can get.

Here is the idea I get :

// clone the prepared templatelxc-clone -o myTemplate -n newContainer// put the code archive in the new containercp path/to/code path/to/container/and/where/you/want// Start the container as a daemonlxc-start -n newContainer -d// Then launch the right script for the type of code in the containerlxc-attach -n newContainer -- su containeruser -c /path/to/script.sh

So the small job is to create the template with the required libs. The other job is to write the script that is called in the end.

Good luck with your project, I hope this helps.

realistically, when giving people this kind of freedom, the only real safe step is to spin up a new virtual instance for each user session and 'burn' it as soon as the session closes. If you want some sort of permanence, cat their input, and run it on a new instance next time they visit. even this has HUGE scope for being exploited but damage to your system should be limited.

You want to create a service which enables to compile java program and launch them.

I undestand that your question is not about how to launch those program securely because you assume that it has been taken care of.

So you want to know how to securely launch a shell script, in which you will give the name of the source code, and the arguments to javac.

First, you have many things to do.

The fact that you want to use system calls implies that you will allow exec in your whole Virtualhost. So if your FTP password, one of your PHP files, or anything is compromised, an attacker can upload a script, a binary program and execute it.

1. You have to have your web site partition and temporary folders used by PHP in noexec mode in fstab
2. You have to limit the files you can access within PHP with open_basedir restrictions, which has survived from the end of safe_mode. You will then allow with open_basedir the directory (which of course does not have the noexec flag)
3. The directory containing your script and the script will have root.www-data permissions, and will not be writable by www-data
4. You will have to protect the arguments passed to the script (which you have done with escapeshellarg) and any potential injection in the filename of the java file (but we assume that it will be renamed before being transmitted in order to avoid filename collision in the different java files you will received)