8000 Question about sandboxed compiles in Server Pro · Issue #1355 · overleaf/overleaf · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Question about sandboxed compiles in Server Pro #1355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub 8000 ”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
crew-carson opened this issue May 14, 2025 · 1 comment
Open

Question about sandboxed compiles in Server Pro #1355

crew-carson opened this issue May 14, 2025 · 1 comment

Comments

@crew-carson
Copy link

I'm interested in Server Pro, but I'd like clarification on its capabilities for sandboxed compiles first.

I believe with sandboxed compiles, the following code shouldn't result in helloworld.tex being written to the host, but would it still be written to the sharelatex container? Essentially I want to know how isolated the sharelatex container would be from the sibling container doing the compile. Thanks.

\documentclass{article}
  \usepackage{shellesc}
  \begin{document}
This will write a file named helloworld.tex with the contents "Hello-World".
\newwrite\outfile
\openout\outfile=helloworld.tex
\write\outfile{Hello-World}
\closeout\outfile
\end{document}
@mlevans0
Copy link
Collaborator

Hey @crew-carson, thanks for your question and interest in using Server Pro.

When Sandboxed Compiles are enabled, a copy of the project source files is copied to the hosts SANDBOXED_COMPILES_HOST_DIR, and then bind mounted into a sibling container where the compile happens (no data outside the project is copied). These sibling containers are then periodically cleaned up.

Eventually, anything user-generated and compiled output are stored on the host, but potentially dangerous activity (executing arbitrary shell commands as part of the PDF compile process) that could happen happens in the sandbox, not in the sharelatex container.

Sibling containers have limited permissions (via a custom seccomp policy that is applied to the container), and they don't have access to any other projects/data stored on the host or settings/files within the sharelatex container.

You can find more information about Sandboxed Compiles here.

For additional information, please feel free to contact our sales team here.

Note: Server Pro licensing starts at a minimum seat count of 10.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mlevans0 @crew-carson
0