Jobe security question

Jobe security question

by Richard Lobb -
Number of replies: 2

A correspondent asked the following question, and I thought I should post it here to encourage responses from others in the community.

Hello Richard

We've now installed your plugin on our dev. Environment and testing it out.

How does the code will be parsed? Per example I can run a phpinfo() or shell_exec command. Does the plugin is safe? Does the Moodle user can invoke malware or create a huge file on the jobe-server?

 Kind regards

My response ...

Firstly, it's important to note that the CodeRunner plugin itself is as safe as any other plugin. All student code gets run on the Jobe server which for security should be a separate firewalled server.

On the question of the security of Jobe, you might want to read the following posting by Tim Hunt: https://coderunner.org.nz/mod/forum/discuss.php?d=57 reporting briefly (in positive terms) on a security audit of Jobe performed by a cyber security consultancy. I think it's also worth noting that we have been running various Jobe servers at the University of Canterbury for around 5 years, fielding millions of submissions, and have never had a security failure, deliberate or otherwise, at least to our knowledge. An Open University IT staff member who applied himself to the task was able to break security, given direct access to Jobe through web requests rather than through Moodle. His attack mode would not have been possible via Moodle but anyway we have since closed or at least mitigated the vulnerabilities he found. Also, CodeRunner is installed on over 600 other registered Moodle sites around the world and no-one has reported security issues, at least to me. Which is not to say that Jobe is rock solid (nothing ever is) or that there haven't been issues but I think you can be confident that they're rare. 

A Moodle user can run any code on Jobe that a standard Linux user can run with the following restrictions:

  • No home directory
  • Limited time (typically around 5 secs)
  • Limited memory (typically a hundred MB)
  • Limited number of processes (language dependent)
  • Write access limited to the current directory plus standard tmp directories

However, assuming the Jobe server is properly firewalled and the base Linux system is properly configured, this freedom doesn't imply vulnerability.

While a student might be able to create a very large file in their working directly or another temporary directory, it's difficult to create a large enough one to cause problems in the time available and any files created get deleted when the task finishes. Nevertheless, if this still worries you, see the section An optional extra installation step (for Paranoid sysadmins only) in the Jobe documentation.

Lastly, and perhaps most importantly of all, Moodle records every single job that gets submitted to Jobe (assuming that's the only path into Jobe). This means that any student deliberately attempting to compromise the security of Jobe is taking a huge risk as there is a complete audit trail of every single submission they ever made. 

I hope that helps ease your concerns but feel free to post back here with further questions. I would also be interested to hear if any other CodeRunner users out there have had security issues.

Richard



In reply to Richard Lobb

Re: Jobe security question

by Adrian Perez Rodriguez -

Hey Richard

Thank you very much! That really helps me and I can take it and the further links as a proof. 

I'm just thoughtful about, that the user knows really easy the PHP server configuration. Normally sysadmins don't want public that?



In reply to Adrian Perez Rodriguez

Re: Jobe security question

by Tim Hunt -
In a web site facing the internet, you don't want to make all in information in phpinfo availabe to casual browsers, because it gives attackers useful clues, e.g. if you are running a version of a library with known vulnerabilies.

However, you should not think of the Jobe server as part of a public web site. As Richard says, it should be firewalled so that the only ways into it are API calls (HTTP) from the moodle server, and direct access (SSH) for server admins. And it probalby should not be allowed to make any outgoing requests at all, except perhpas HTTPS fetches from github, when you want to update the JOBE code.

Therefore, this is not a server on the public internet. This is a resource available to your computing students, where they can execute their code to test it. So you need to think about it like that. If you are a student who has been given access to a computer with PHP on it as a place to do your programming exercises, then it is quite reasonable for you to know the details of the PHP install, and PHPinfo is the easiest way to get that. (Indeed, learning to understand what is on the PHPinfo page is probably an important thing for you to learn as a student of PHP.)