diff --git a/backend/src/sandbox.rs b/backend/src/sandbox.rs
index d6e6348..9d6544d 100644
--- a/backend/src/sandbox.rs
+++ b/backend/src/sandbox.rs
@@ -3,23 +3,18 @@ use std::io::Write;
 use std::os::fd::AsRawFd;
 use std::process::Command;
 
-use tempfile::TempDir;
+use tempfile::{TempDir, NamedTempFile};
 
 #[rustfmt::skip]
 const STATIC_ARGS: &[&str] = &[
     "--ro-bind", "/usr", "/usr",
     "--dir", "/tmp",
     "--dir", "/var",
-    "--symlink", "../tmp", "var/tmp",
+    "--symlink", "../tmp", "/var/tmp",
     "--proc", "/proc",
     "--dev", "/dev",
     "--ro-bind", "/etc/resolv.conf", "/etc/resolv.conf",
     "--ro-bind", "/nix", "/nix",
-    "--symlink", "usr/lib", "/lib",
-    "--symlink", "usr/lib64 /lib64",
-    "--symlink", "usr/bin", "/bin",
-    "--symlink", "usr/sbin", "/sbin",
-    "--chdir", "/app",
     "--unshare-all",
     "--die-with-parent",
     "--clearenv",
@@ -30,7 +25,7 @@ const HARE_COMMAND: &str = "/nix/store/cnysps4xzry4g26zyz7mmxfjj6wagpa6-hare-0.2
 /// Default command timeout in seconds.
 const DEFAULT_TIMEOUT: u32 = 10;
 
-fn passwd_files(uid: u32, gid: u32) -> (File, File, Vec<String>) {
+fn passwd_files(uid: u32, gid: u32) -> (NamedTempFile, NamedTempFile, Vec<String>) {
     let uid = uid.to_string();
     let passwd = Command::new("getent")
         .args(["passwd", &uid, "65534"])
@@ -43,20 +38,20 @@ fn passwd_files(uid: u32, gid: u32) -> (File, File, Vec<String>) {
         .output()
         .expect("failed to run getent passwd");
 
-    let mut passwd_file = tempfile::tempfile().unwrap();
+    let mut passwd_file = tempfile::NamedTempFile::new().unwrap();
     passwd_file.write_all(&passwd.stdout).unwrap();
     passwd_file.flush().unwrap();
 
-    let mut group_file = tempfile::tempfile().unwrap();
+    let mut group_file = tempfile::NamedTempFile::new().unwrap();
     group_file.write_all(&group.stdout).unwrap();
     group_file.flush().unwrap();
 
     let args = vec![
-        "--file".to_string(),
-        passwd_file.as_raw_fd().to_string(),
+        "--ro-bind".to_string(),
+        passwd_file.path().display().to_string(),
         "/etc/passwd".to_string(),
-        "--file".to_string(),
-        group_file.as_raw_fd().to_string(),
+        "--ro-bind".to_string(),
+        group_file.path().display().to_string(),
         "/etc/group".to_string(),
     ];
 
@@ -85,14 +80,18 @@ fn shared_app_dir() -> (TempDir, Vec<String>) {
 
     (
         tmp_app_dir,
-        vec!["--bind".to_string(), app_dir_path, "/app".to_string()],
+        vec![
+            "--bind".to_string(),
+            app_dir_path,
+            "/app".to_string(),
+            "--chdir".to_string(),
+            "/app".to_string(),
+        ],
     )
 }
 
 fn command(app_file: &str) -> Vec<String> {
     vec![
-        "/usr/bin/timeout".to_string(),
-        DEFAULT_TIMEOUT.to_string(),
         HARE_COMMAND.to_string(),
         "run".to_string(),
         app_file.to_string(),
@@ -100,9 +99,7 @@ fn command(app_file: &str) -> Vec<String> {
 }
 
 fn getids() -> (u32, u32) {
-    unsafe {
-        (libc::getuid(), libc::getgid())
-    }
+    unsafe { (libc::getuid(), libc::getgid()) }
 }
 
 pub fn run_code(code: &str) {
@@ -121,7 +118,7 @@ pub fn run_code(code: &str) {
     bwrap_cmd.args(file_args);
 
     {
-        let code_path = app_dir.path().with_file_name("main.ha");
+        let code_path = app_dir.path().join("main.ha");
         let mut code_file = File::create(code_path).unwrap();
         code_file.write_all(code.as_bytes()).unwrap();
     }