Nick Sieger wrote:
On 6/28/07, Thomas E Enebo <[EMAIL PROTECTED]> wrote:
I say chuck it out since we are not even close to being correct in
this area. It gives a false sense of security. In fact, I wonder
what sort of audit MRI goes through to demonstrate that safe/taint is
working. As far as I can tell tainting is really tough to get right
and keep right.
The Drb mention below makes me think we need to come up with a
creative solution to replace it (using Java's security mechanism in
some way). I am hoping some enterprising community member who cares
about this will help find the true path...
Actually, I'm thinking the right path would be to promote
sandbox/javasand. We just need to polish it up and get some examples
out there on how to secure a real-world application with it. _eric's
irc bot is one example.
There's also the threading issue with it...since we allow a single
native thread to cross into another runtime, there's no way for runtime
A to kill runtime B without having access to the RubyThread associated
with that runtime. In MRI this works ok because sandbox still uses the
same core runtime but a different set of core classes for the sandboxes,
so killing a target thread works.
But explicit sandboxing does seem like a better long-term approach. We
(Sun) are going to be working with ko1 on his MVM research for Ruby 1.9,
and I'm hoping that it will learn a lot from sandbox...ideally making
sandbox more standard and providing a path forward for those using it.
- Charlie
---------------------------------------------------------------------
To unsubscribe from this list please visit:
http://xircles.codehaus.org/manage_email
