As for the plausibility of the decoy, how do you interpret the output of the Python interpreter in the great-grandparent comment?
If I had to build a compile-and-run sandbox, I'd also look into SELinux or AppArmor. However, blocking reads to /etc/passwd will disable getpwent(), which innocent programs may occasionally use, and with shadow passwords, /etc/passwd should not be sensitive anyway.
Hmm, I have to admit a 'nobody' account with UID and GID 0 is weird. I'm not sure if it is possible for a non-superuser to have those values so you may be right here.
With AppArmor, at least, it is perfectly possible to assign different policies to the same program. Policies are applied to programs identified by pathname so all one needs to do to sandbox, for instance, /usr/bin/gcc:
1. ln /usr/bin/gcc-4.4 ~/sandbox/compilers/gcc
2. Create and enforce an apparmor policy for ~/sandbox/compilers/gcc
3. Remember to use only ~/sandbox/compilers/gcc for untrusted code.
I do this (among other things) for my platform, and given that I only require user-submitted code to solve one of a limited set of algorithmic challenges, I can get away with blocking access to /etc/passwd (and everything else but a restricted whitelist).
If I had to build a compile-and-run sandbox, I'd also look into SELinux or AppArmor. However, blocking reads to /etc/passwd will disable getpwent(), which innocent programs may occasionally use, and with shadow passwords, /etc/passwd should not be sensitive anyway.