A correspondent asked the following question, and I thought I should post it here to encourage responses from others in the community.
We've now installed your plugin on our dev. Environment and testing it out.
How does the code will be parsed? Per example I can run a phpinfo() or shell_exec command. Does the plugin is safe? Does the Moodle user can invoke malware or create a huge file on the jobe-server?
My response ...
Firstly, it's important to note that the CodeRunner plugin itself is as safe as any other plugin. All student code gets run on the Jobe server which for security should be a separate firewalled server.
On the question of the security of Jobe, you might want to read the following posting by Tim Hunt: https://coderunner.org.nz/mod/forum/discuss.php?d=57 reporting briefly (in positive terms) on a security audit of Jobe performed by a cyber security consultancy. I think it's also worth noting that we have been running various Jobe servers at the University of Canterbury for around 5 years, fielding millions of submissions, and have never had a security failure, deliberate or otherwise, at least to our knowledge. An Open University IT staff member who applied himself to the task was able to break security, given direct access to Jobe through web requests rather than through Moodle. His attack mode would not have been possible via Moodle but anyway we have since closed or at least mitigated the vulnerabilities he found. Also, CodeRunner is installed on over 600 other registered Moodle sites around the world and no-one has reported security issues, at least to me. Which is not to say that Jobe is rock solid (nothing ever is) or that there haven't been issues but I think you can be confident that they're rare.
A Moodle user can run any code on Jobe that a standard Linux user can run with the following restrictions:
- No home directory
- Limited time (typically around 5 secs)
- Limited memory (typically a hundred MB)
- Limited number of processes (language dependent)
- Write access limited to the current directory plus standard tmp directories
However, assuming the Jobe server is properly firewalled and the base Linux system is properly configured, this freedom doesn't imply vulnerability.
While a student might be able to create a very large file in their working directly or another temporary directory, it's difficult to create a large enough one to cause problems in the time available and any files created get deleted when the task finishes. Nevertheless, if this still worries you, see the section An optional extra installation step (for Paranoid sysadmins only) in the Jobe documentation.
Lastly, and perhaps most importantly of all, Moodle records every single job that gets submitted to Jobe (assuming that's the only path into Jobe). This means that any student deliberately attempting to compromise the security of Jobe is taking a huge risk as there is a complete audit trail of every single submission they ever made.
I hope that helps ease your concerns but feel free to post back here with further questions. I would also be interested to hear if any other CodeRunner users out there have had security issues.
Thank you very much! That really helps me and I can take it and the further links as a proof.
I'm just thoughtful about, that the user knows really easy the PHP server configuration. Normally sysadmins don't want public that?