> Sorry to harp on security issues, but what are you doing to protect > yourself from those compile and run arbitrary code > boxes?
It runs a separate process which is suid'd to a single purpose restricted user that only has access to one directory and a number of ulimits in force. So they could in theory write evil things, but the operating system won't let it gain much ground. I'm currently setting up a separate virtual machine on a different domain to handle that, so even if they broke it, the system is completely expendable anyway. Problems with this would be if someone wanted to set up a network spammer or a CPU eater. Perhaps a cron job that loops around killing processes would help with that. I need to think about it some more. Redirecting the user to ideone might end up being the best solution (or dropping the feature) but I want to shoot for something higher first.
