projects / gruntmaster-daemon.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Only run "untrusted" programs under sudo
[gruntmaster-daemon.git] / gruntmaster-exec
1 #!/usr/bin/perl
2 use v5.14;
3 use strict;
4 use warnings;
5
6 use constant +{
7 # Accepted
8 AC => 0,
9
10 # Internal server error
11 ERR => -1,
12
13 # All other errors
14 WA => 1,
15 NZX => 2,
16 TLE => 3,
17 OLE => 4,
18 DIED => 5,
19 REJ => 10,
20 };
21 # These constants are changed by ex/makevm
22 use constant USER => 65534;
23 use constant GROUP => 65534;
24
25 use BSD::Resource qw/setrlimit RLIMIT_AS RLIMIT_FSIZE RLIMIT_NPROC/;
26 use IPC::Signal qw/sig_name sig_num/;
27 use sigtrap qw/XFSZ/;
28
29 use Getopt::Long;
30 use POSIX qw//;
31 use Text::ParseWords qw/shellwords/;
32 use Time::HiRes qw/alarm/;
33
34 my (@fds, $timeout, $mlimit, $olimit, $nobody);
35 my $close = 1;
36
37 GetOptions(
38 "fd=s" => \@fds,
39 "timeout=f" => \$timeout,
40 "mlimit=i" => \$mlimit,
41 "olimit=i" => \$olimit,
42 "close!" => \$close,
43 "nobody!" => \$nobody,
44 );
45
46 my $killuser = $ENV{GRUNTMASTER_KILL_USER};
47 my @sudo;
48 @sudo = (shellwords ($ENV{GRUNTMASTER_SUDO}), '--') if $ENV{GRUNTMASTER_SUDO} && $nobody;
49 $mlimit = 1_000_000_000 if @sudo; # sudo wants a lot of address space
50
51 my $ret = fork // die 'Cannot fork';
52 if ($ret) {
53 my $tle;
54 local $SIG{ALRM} = sub {
55 if ($killuser) {
56 system @sudo, 'pkill', '-KILL', '-u', $killuser;
57 } else {
58 kill KILL => $ret
59 }
60 $tle = 1
61 };
62 alarm ($timeout || 5);
63 waitpid $ret, 0;
64 alarm 0;
65 if (@sudo) {
66 $? = $? >> 8;
67 $? = $? < 128 ? ($? << 8) : $? - 128;
68 }
69 my $sig = $? & 127;
70 my $signame = sig_name $sig;
71 exit !say TLE, "\nTime Limit Exceeded" if $tle;
72 exit !say OLE, "\nOutput Limit Exceeded" if $sig && $signame eq 'XFSZ';
73 exit !say DIED, "\nCrash (SIG$signame)" if $sig && $signame ne 'PIPE';
74 exit !say NZX, "\nNon-zero exit status: " . ($? >> 8) if $? >> 8;
75 exit !say AC, "\nAll OK";
76 } else {
77 $^F = 50;
78 if ($close) {
79 POSIX::close $_ for 0 .. $^F;
80 }
81 for my $fdstring (@fds) {
82 my ($fd, $file) = split ' ', $fdstring, 2;
83 open my $fh, $file or die $!;
84 my $oldfd = fileno $fh;
85 if ($oldfd != $fd) {
86 POSIX::dup2 $oldfd, $fd or die $!;
87 POSIX::close $oldfd or die $!;
88 }
89 }
90 my $nproc = $killuser ? 5 : 1;
91 %ENV = (ONLINE_JUDGE => 1, PATH => $ENV{PATH}, HOME => $ENV{HOME});
92 setrlimit RLIMIT_AS, $mlimit, $mlimit or die $! if $mlimit;
93 setrlimit RLIMIT_FSIZE, $olimit, $olimit or die $! if $olimit;
94 setrlimit RLIMIT_NPROC, $nproc, $nproc or die $! if $nobody;
95 POSIX::setgid $nobody ? 65534 : USER;
96 POSIX::setuid $nobody ? 65534 : GROUP;
97 unshift @ARGV, @sudo;
98 say STDERR "Execing: ", join ' ', map { "'$_'" } @ARGV;
99 exec @ARGV;
100 }
101
102 1;
103 __END__
104
105 =encoding utf-8
106
107 =head1 NAME
108
109 gruntmaster-exec - Gruntmaster 6000 executor
110
111 =head1 SYNOPSIS
112
113 gruntmaster-exec 20000000 111 echo 'Hello, world!'
114
115 =head1 DESCRIPTION
116
117 gruntmaster-exec is the script used by gruntmasterd to run programs.
118
119 The first argument is the address space limit (in bytes), the second argument is the output limit (also in bytes). The rest of the arguments are the command that should be run and its arguments.
120
121 gruntmaster-exec sets the resource limits, cleans the environment (except for PATH and HOME), adds the ONLINE_JUDGE environment variable with value 1, and finally C<exec>s the given command.
122
123 =head1 AUTHOR
124
125 Marius Gavrilescu E<lt>marius@ieval.roE<gt>
126
127 =head1 COPYRIGHT AND LICENSE
128
129 Copyright (C) 2014 by Marius Gavrilescu
130
131 This program is free software: you can redistribute it and/or modify
132 it under the terms of the GNU Affero General Public License as published by
133 the Free Software Foundation, either version 3 of the License, or
134 (at your option) any later version.
Gruntmaster daemon
This page took 0.030154 seconds and 4 git commands to generate.