问题
I have a need to allow my users to execute .NET code that they provide on my server. I know security is a big concern, but it has to be done that way.
Currently, I run my users' code under a limited Windows account. But, I am worried that .NET framework provides many classes that, if used maliciously, can harm the server -- classes under the Reflection namespace is one example, CodeDom is another concern.
I wish there was a way to create a "lightweight virtual environment" that can run .NET code, but is fully isolated. Kind of like Virtual PC, but much more lightweight -- the only capability would be that users can do calculations and, possibly, call a 3rd party web service.
Is there something on the market that provides an isolated environment for .NET applications?
Thanks.
回答1:
.NET has built in security features to do exactly what you want to do. Without knowing how their .NET apps are being launched I can't say for sure if it will help you, but if you control the launching of the apps you can apply a security context to their AppDomain and restrict what they can access. From what you said in the original posting if you blocked pretty much everything except WebPermission (and you can even restrict it to specific addresses) it should be safe to run on your system.
来源:https://stackoverflow.com/questions/9794596/how-to-provide-isolation