I am writing something similar to the http://ideone.com/. Currently I am running user processes with CreateProcess call. I kill the process if it runs longer then specified amount of time but I don't know how to deny read/write filesystem rights / creating process rights etc. to the created process. The given executable can be literally anything and I need to allow only stdin / stdout. Also it would be great if I could set working memory set.
I read a lot of articles on msdn such as CreateProcessAsUser Function, CreateProcessWithLogonW Function etc. but I get confused very fast (probably because my win32 knowledge is extremely limited).
Is it sufficient just to call CreateProcessAsUser and create special user with those limited privileges (and how to create such user).
I hope I can achieve this in one function call with right parameters so please help.
Also, if you know some similar open source project it would be great.
Thanks.
==========================================================
Edit:
Hi again :)
I am still stuck with this. I didn't have enough time to work on this, but I guess snemarch post is very useful. If someone has out of the box solution it would be great. I will post if I do something with snemarch's links.
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…