Avoid using non-suid isolate executable

konstantint · stefano-maggiolo · commit 490dbf7368c1 · 2015-01-25T20:31:12.000Z
diff --git a/cms/grading/Sandbox.py b/cms/grading/Sandbox.py
@@ -902,11 +902,13 @@ def detect_box_executable(self):
                       '..', '..', 'isolate', self.exec_name))]
         paths += [self.exec_name]
         for path in paths:
-            # Consider only non-directory, executable files.
+            # Consider only non-directory, executable files with SUID flag on.
             if os.path.exists(path) \
                     and not os.path.isdir(path) \
                     and os.access(path, os.X_OK):
-                return path
+                st = os.stat(path)
+                if st.st_mode & stat.S_ISUID != 0:
+                    return path
 
         # As default, return self.exec_name alone, that means that
         # system path is used.
