On Fri, Aug 29, 2014 at 10:40 AM, Alexander Burger <a...@software-lab.de> wrote: > > The 'repl' in the PicoLisp release has about the same security as an SSH > session (if it is used via an SSL session). With the standard role and > permission system, you have a good control about who is allowed to use > it.
The idea here is not access to the REPL, but (quote from the Tcl ref): «safe to execute an arbitrary script from your worst enemy without fear of that script damaging the enclosing application or the rest of your computing environment.» > Then, the most glaring security risks are the 'call' and 'pipe' > functions, and the pipe functionalities of 'in', 'out' and 'load'. They > allow a REPL user to directly access the interlying system. If these > were disabled (can probably done on the Lisp level in the 'repl' How would you disable them? Would this be ok? (de annihilate @ (mapcar '((sym) (set sym NIL)) (rest))) Then call it this way (I think that I understand now why low level functions should evaluate their args): (annihilate 'call 'pipe ...) > function itself), attackers cannot call external commands or processes > any more (can they?). This is the delicate/time consuming part: testing, trying to crack a «safe» interp. > But then an attacker could still read many files. So perhaps disable all > I/O functions? How far it makes sense to go? No idea, but the Tcl guys may have think about this a lot. From the ref: ««« The following commands are hidden by interp create when it creates a safe interpreter: cd encoding exec exit fconfigure file glob load open pwd socket source These commands can be recreated later as Tcl procedures or aliases, or re-exposed by interp expose. The following commands from Tcl's library of support procedures are not present in a safe interpreter: auto_exec_ok auto_import auto_load auto_load_index auto_qualify unknown »»» I also thought about resources. For showcase purposes, a computation running more than 5 seconds should be killed. What do you think? I'm also asking the question in the context of Emulisp. If ever there is a platform like http://jsbin.com/ supporting PicoLisp, what «in browser» operations will be safe to allow? chri -- http://profgra.org/lycee/ (site pro) http://delicious.com/profgraorg (liens, favoris) https://twitter.com/profgraorg http://microalg.info -- UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
