try to fix permission

Dockerfile

@@ -10,7 +10,7 @@ RUN buildDeps='software-properties-common git libtool cmake python-dev python3-p
     mkdir build && cd build && cmake .. && make && make install && cd ../bindings/Python && python3 setup.py install && \
     apt-get purge -y --auto-remove $buildDeps && \
     apt-get clean && rm -rf /var/lib/apt/lists/* && \
-    mkdir -p /code && useradd -r compiler && useradd -r code
+    mkdir -p /code
 
 HEALTHCHECK --interval=5s --retries=3 CMD python3 /code/service.py
 ADD server /code

server/config.py

@@ -16,6 +16,9 @@
 COMPILER_USER_UID = pwd.getpwnam("compiler").pw_uid
 COMPILER_GROUP_GID = grp.getgrnam("compiler").gr_gid
 
+SPJ_USER_UID = pwd.getpwnam("spj").pw_uid
+SPJ_GROUP_GID = grp.getgrnam("spj").gr_gid
+
 TEST_CASE_DIR = "/test_case"
 SPJ_SRC_DIR = "/judger/spj"
 SPJ_EXE_DIR = "/judger/spj"

server/entrypoint.sh

@@ -1,8 +1,18 @@
 #!/bin/bash
+useradd -u 12001 compiler
+useradd -u 12002 code
+useradd -u 12003 spj
+usermod -a -G code spj
+
 rm -rf /judger/*
 mkdir -p /judger/run /judger/spj
-chown -R compiler:compiler /judger/
-chmod -R 771 /judger/
+
+chown compiler:code /judger/run
+chmod 711 /judger/run
+
+chown compiler:spj /judger/spj
+chmod 710 /judger/spj
+
 core=$(grep --count ^processor /proc/cpuinfo)
 n=$(($core*2))
 exec gunicorn --workers $n --threads $n --error-logfile /log/gunicorn.log --time 600 --bind 0.0.0.0:8080 server:app

server/judge_client.py

@@ -6,7 +6,7 @@
 
 import psutil
 
-from config import TEST_CASE_DIR, JUDGER_RUN_LOG_PATH, RUN_GROUP_GID, RUN_USER_UID, SPJ_EXE_DIR
+from config import TEST_CASE_DIR, JUDGER_RUN_LOG_PATH, RUN_GROUP_GID, RUN_USER_UID, SPJ_EXE_DIR, SPJ_USER_UID, SPJ_GROUP_GID, RUN_GROUP_GID
 from exception import JudgeClientError
 
 SPJ_WA = 1
@@ -63,6 +63,9 @@ def _compare_output(self, test_case_file_id):
         return output_md5, result
 
     def _spj(self, in_file_path, user_out_file_path):
+        os.chown(self._submission_dir, SPJ_USER_UID, 0)
+        os.chown(user_out_file_path, SPJ_USER_UID, 0)
+        os.chmod(user_out_file_path, 0o740)
         command = self._spj_config["command"].format(exe_path=self._spj_exe,
                                                      in_file_path=in_file_path,
                                                      user_out_file_path=user_out_file_path).split(" ")
@@ -81,8 +84,8 @@ def _spj(self, in_file_path, user_out_file_path):
                              env=["PATH=" + os.environ.get("PATH", "")],
                              log_path=JUDGER_RUN_LOG_PATH,
                              seccomp_rule_name=seccomp_rule_name,
-                             uid=RUN_USER_UID,
-                             gid=RUN_GROUP_GID)
+                             uid=SPJ_USER_UID,
+                             gid=SPJ_GROUP_GID)
 
         if result["result"] == _judger.RESULT_SUCCESS or \
                 (result["result"] == _judger.RESULT_RUNTIME_ERROR and

server/server.py

@@ -6,7 +6,7 @@
 from flask import Flask, request, Response
 
 from compiler import Compiler
-from config import JUDGER_WORKSPACE_BASE, SPJ_SRC_DIR, SPJ_EXE_DIR, COMPILER_GROUP_GID
+from config import JUDGER_WORKSPACE_BASE, SPJ_SRC_DIR, SPJ_EXE_DIR, COMPILER_USER_UID, SPJ_USER_UID, RUN_USER_UID, RUN_GROUP_GID
 from exception import TokenVerificationFailed, CompileError, SPJCompileError, JudgeClientError
 from judge_client import JudgeClient
 from utils import server_info, logger, token
@@ -23,8 +23,8 @@ def __init__(self, judger_workspace, submission_id):
     def __enter__(self):
         try:
             os.mkdir(self.path)
-            os.chown(self.path, 0, COMPILER_GROUP_GID)
-            os.chmod(self.path, 0o771)
+            os.chown(self.path, COMPILER_USER_UID, RUN_GROUP_GID)
+            os.chmod(self.path, 0o711)
         except Exception as e:
             logger.exception(e)
             raise JudgeClientError("failed to create runtime dir")
@@ -69,11 +69,15 @@ def judge(cls, language_config, src, max_cpu_time, max_memory, test_case_id,
                 # write source code into file
                 with open(src_path, "w", encoding="utf-8") as f:
                     f.write(src)
+                os.chown(src_path, COMPILER_USER_UID, 0)
+                os.chmod(src_path, 0o400)
 
                 # compile source code, return exe file path
                 exe_path = Compiler().compile(compile_config=compile_config,
                                               src_path=src_path,
                                               output_dir=submission_dir)
+                os.chown(exe_path, RUN_USER_UID, 0)
+                os.chmod(exe_path, 0o500)
             else:
                 exe_path = os.path.join(submission_dir, run_config["exe_name"])
                 with open(exe_path, "w", encoding="utf-8") as f:
@@ -103,14 +107,15 @@ def compile_spj(cls, spj_version, src, spj_compile_config):
         if not os.path.exists(spj_src_path):
             with open(spj_src_path, "w", encoding="utf-8") as f:
                 f.write(src)
-            os.chown(spj_src_path, 0, COMPILER_GROUP_GID)
-            os.chmod(spj_src_path, 0o660)
+            os.chown(spj_src_path, COMPILER_USER_UID, 0)
+            os.chmod(spj_src_path, 0o400)
 
         try:
             exe_path = Compiler().compile(compile_config=spj_compile_config,
                                           src_path=spj_src_path,
                                           output_dir=SPJ_EXE_DIR)
-            os.chmod(exe_path, 0o771)
+            os.chown(exe_path, SPJ_USER_UID, 0)
+            os.chmod(exe_path, 0o500)
         # turn common CompileError into SPJCompileError
         except CompileError as e:
             raise SPJCompileError(e.message)