Context: I’m wanting to write a programming competition site for our school, and I know I need to prevent file IO abuse from submitted programs. However, what I’m wanting to find out how to do is prevent someone from writing a program that can execute other programs. For example, someone could submit a Java program that uses the Runtime or ProcessBuilder classes to do some malicious things on our server, break the site, or mess with another competitor.
What ways are there to defend against this on unix/linux and (just for future reference) windows servers?
Real-time online programming competitions are cool… but there are many ways to get it wrong. I remember a Java one we used at our school that had url hacking vulnerabilities, File IO execution vulnerability, etc. I was able to add friends from other schools and list the files on the server. I’m surprised the system is still up. As mentioned in the comments, you are probably better off to avoid any remote program execution of any kind.