l...@gnu.org (Ludovic Courtès) writes:
> Mark H Weaver <m...@netris.org> skribis:
>
>> Every once in a while someone asks about secure sandboxing with Guile,
>> and generally the response is that it should be fairly easy, by creating
>> a module with carefully selected bindings, but there's nothing ready
>> "out of the box".
>>
>> I just realized that psyntax has a security hole that prevents secure
>> sandboxing, and wanted to post this fact before it was forgotten.
>
> There are many other holes, such as the fact that ‘@@’ is compiled to
> the ‘toplevel-ref’ instruction, which can search inside modules.
'@@' can be rebound, so that its default binding is no longer available:
scheme@(guile-user)> (@@ (ice-9 popen) open-pipe*)
$1 = #<procedure open-pipe* (mode command . args)>
scheme@(guile-user)> (define @@ 2)
scheme@(guile-user)> (@@ (ice-9 popen) open-pipe*)
;;; <stdin>:3:4: warning: possibly unbound variable `ice-9'
;;; <stdin>:3:4: warning: possibly unbound variable `popen'
;;; <stdin>:3:0: warning: possibly unbound variable `open-pipe*'
<unnamed port>:3:4: In procedure #<procedure 103199b0 at <current input>:3:0
()>:
<unnamed port>:3:4: In procedure module-lookup: Unbound variable: ice-9
Entering a new prompt. Type `,bt' for a backtrace or `,q' to continue.
scheme@(guile-user) [1]>
In the past, some of us (including me) have suspected that by creating a
module with all dangerous bindings removed (including '@' and '@@'), one
could create a secure sandbox in Guile. Sadly, that is not the case.
>> The problem is that psyntax accepts syntax-objects in the input, and
>> syntax-objects are simply vectors (or sexps containing vectors).
>
> I agree it would be nice to fix eventually, using structs, but it takes
> more than this to allow for “secure sandboxing”.
Can you think of anything else that would need to be fixed, besides this
problem with forgeable syntax-objects?
Thanks,
Mark
