user for each process

vr-varad · Feb 13, 2025 · 47db267 · 47db267
1 parent 36c9bdf
commit 47db267
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 8 deletions.
diff --git a/worker/Dockerfile b/worker/Dockerfile
@@ -6,8 +6,13 @@ RUN apk add --no-cache \
     python3 \
     tini \
     sudo \
-    && addgroup -S docker \
-    && adduser -S docker -G docker
+    shadow 
+
+RUN addgroup -S docker
+RUN adduser -S docker -G docker
+RUN echo "docker ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
+
+RUN mkdir -p /home/docker && chown docker:docker /home/docker
 
 
 WORKDIR /app

diff --git a/worker/utils/codeRunner.js b/worker/utils/codeRunner.js
@@ -1,9 +1,14 @@
-import { execShellCommand } from "./execCommand.js";
+import { createUser, deleteUser, execShellCommand } from "./execCommand.js";
+import crypto from 'crypto';
 
 const codeRunner = async (language, code) => {
     let imageName;
     let command;
 
+    const username = crypto.randomBytes(6).toString('hex');
+
+    const userId = await createUser(username);
+
     // conversion required so that code doesn't contain any special characters 
     // that gets misinterpreted in the shel like " or ' or & etc.
     switch (language) {
@@ -14,15 +19,23 @@ const codeRunner = async (language, code) => {
         case "javascript":
             imageName = 'node:20';
             const base64Code = Buffer.from(code).toString("base64");
-            command = `bash -c "echo '${base64Code}' | base64 -d > program.js && node program.js"`;
+            command = `bash -c "echo '${base64Code}' | base64 -d > /tmp/program.js && node /tmp/program.js"`;
             break;
         default:
             throw new Error('Unsupported language');
     }
 
-    const containerCommand = `docker run --rm --cpus=1 --pids-limit=100 ${imageName} sh -c 'timeout 10s ${command}'`;
+    const containerCommand = `docker run --rm -u ${userId} --cpus=1 --pids-limit=100 ${imageName} sh -c 'timeout 10s ${command}'`;
 
-    return await execShellCommand(containerCommand);
+
+    try {
+        const result = await execShellCommand(containerCommand);
+        await deleteUser(username);
+        return result;
+    } catch (error) {
+        await deleteUser(username);
+        throw error;
+    }
 };
 
 export {

diff --git a/worker/utils/execCommand.js b/worker/utils/execCommand.js
@@ -46,8 +46,11 @@ const createUser = async (username, cpuLimit = '10000', memoryLimit = '500M') =>
     const createUserCommand = `sudo useradd -m ${username} && echo '${username}:p' | sudo chpasswd`;
     await execShellCommand(createUserCommand);
     console.log(`User ${username} created successfully.`);
+    const getUserIdCommand = `id -u ${username}`;
+    const uid = await execShellCommand(getUserIdCommand);
+    return uid.trim();
   } catch (error) {
-    console.error(`Error creating user ${username}:`, error.message);
+    console.error(`Error creating user ${username}:`, error);
     throw error;
   } finally {
     userCreationSemaphore.release();
@@ -69,7 +72,7 @@ const deleteUser = async (username) => {
 };
 
 const killProcessGroup = async (pgid) => {
-  const killCommand = `sudo kill -TERM -${pgid}`; 
+  const killCommand = `sudo kill -TERM -${pgid}`;
   await execShellCommand(killCommand);
 };