Daniel Hulme wrote:
This might sound like nitpicking, but since security's concerned, I want
to be absolutely clear.
On Tue, May 19, 2009 at 01:08:28PM -0400, Mike Blackstock wrote:
Furthermore, you just limit the number of utilities you put in the
/bin directories; if you don't have the 'rm' command in there, then it
can't be run, obviously.
Removing the 'rm' binary will slow down someone who's trying to inject
commands by having you process "myfile.ly ; rm -rf /" but it won't stop
someone using Guile's POSIX system call module to do the same thing.
A chroot jail will keep the webserver safe, but it won't stop people
writing a Lilypond file that downloads a list of email addresses and
send spam to all of them.
Good point...
-dsafe aims to protect against all of these attacks, but unless you know
exactly what it permits and denies you can't know whether it's
appropriate for the kind of use you intend.
This page:
http://lilypond.org/doc/v2.10/Documentation/user/lilypond/Invoking-lilypond
seem to suggest that jail or safe option is to be used in a web server
setting, but I get the impression from the comments here that it
shouldn't be trusted? i.e. functionality involved might be out of date?
An alternative for my own context could be to just offer a subset of
lilypond functionality, and reject any output that goes beyond that.
That is prone to error though.
lex
_______________________________________________
lilypond-user mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/lilypond-user
