The Python example in parent printed an /etc/passwd full of nobody-accounts. From my error message, I only know that the first line in the compilation environment is a nobody-account. In all /etc/passwds I remember having dealt with (mostly the distribution-maintained ones of Linux distributions), the first line was the root account. This is by no means a proof that the compilation environment is guarded, but a strong hint.
OK, but I wonder if it's not easier to just block access to /etc/passwd from the compiler while it is compiling user-submitted code. AppArmor or SELinux could be used to do this.
A decoy /etc/passwd is a bit less plausible to me.
As for the plausibility of the decoy, how do you interpret the output of the Python interpreter in the great-grandparent comment?
If I had to build a compile-and-run sandbox, I'd also look into SELinux or AppArmor. However, blocking reads to /etc/passwd will disable getpwent(), which innocent programs may occasionally use, and with shadow passwords, /etc/passwd should not be sensitive anyway.
Hmm, I have to admit a 'nobody' account with UID and GID 0 is weird. I'm not sure if it is possible for a non-superuser to have those values so you may be right here.
With AppArmor, at least, it is perfectly possible to assign different policies to the same program. Policies are applied to programs identified by pathname so all one needs to do to sandbox, for instance, /usr/bin/gcc:
1. ln /usr/bin/gcc-4.4 ~/sandbox/compilers/gcc
2. Create and enforce an apparmor policy for ~/sandbox/compilers/gcc
3. Remember to use only ~/sandbox/compilers/gcc for untrusted code.
I do this (among other things) for my platform, and given that I only require user-submitted code to solve one of a limited set of algorithmic challenges, I can get away with blocking access to /etc/passwd (and everything else but a restricted whitelist).
