How do I quote someone? (I'm not that social and I've never participated in a mailing list before, do I just copy and paste and add the >?)
Christophe Gragnic, If you use Docker containers, as with my proposed solution, you can do whatever you want with the container (a mini virtual machine) and if everything gets destroyed for example, you can just build a new container in less than a second. The containers are isolated from the host machine, so everything is safe. El ago 29, 2014 9:32 AM, "Christophe Gragnic" <christophegrag...@gmail.com> escribió: > > On Fri, Aug 29, 2014 at 10:40 AM, Alexander Burger <a...@software-lab.de> wrote: > > > > The 'repl' in the PicoLisp release has about the same security as an SSH > > session (if it is used via an SSL session). With the standard role and > > permission system, you have a good control about who is allowed to use > > it. > > The idea here is not access to the REPL, but (quote from the Tcl ref): > «safe to execute an arbitrary script from your worst enemy without > fear of that script damaging the enclosing application or the rest of > your computing environment.» > > > Then, the most glaring security risks are the 'call' and 'pipe' > > functions, and the pipe functionalities of 'in', 'out' and 'load'. They > > allow a REPL user to directly access the interlying system. If these > > were disabled (can probably done on the Lisp level in the 'repl' > > How would you disable them? Would this be ok? > (de annihilate @ (mapcar '((sym) (set sym NIL)) (rest))) > Then call it this way (I think that I understand now why low level functions > should evaluate their args): > (annihilate 'call 'pipe ...) > > > function itself), attackers cannot call external commands or processes > > any more (can they?). > > This is the delicate/time consuming part: testing, trying to crack a > «safe» interp. > > > But then an attacker could still read many files. So perhaps disable all > > I/O functions? How far it makes sense to go? > > No idea, but the Tcl guys may have think about this a lot. From the ref: > > ««« > The following commands are hidden by interp create when it creates a > safe interpreter: > cd encoding exec exit > fconfigure file glob load > open pwd socket source > These commands can be recreated later as Tcl procedures or aliases, or > re-exposed by interp expose. > The following commands from Tcl's library of support procedures are > not present in a safe interpreter: > auto_exec_ok auto_import auto_load > auto_load_index auto_qualify unknown > »»» > > I also thought about resources. For showcase purposes, a computation > running more than 5 seconds should be killed. What do you think? > > I'm also asking the question in the context of Emulisp. If ever there > is a platform like > http://jsbin.com/ supporting PicoLisp, what «in browser» operations will be > safe to allow? > > > chri > > -- > > http://profgra.org/lycee/ (site pro) > http://delicious.com/profgraorg (liens, favoris) > https://twitter.com/profgraorg > http://microalg.info > -- > UNSUBSCRIBE: mailto:picolisp@software-lab.de?subjectUnsubscribe
