On Thu, May 21, 2009 at 11:41:36AM +0100, Alex wrote:
> Yeah, I've just been looking at safe-lily.scm which appears to filter
> any given module against the safe funcs....
> Also I saw the bit that bans include files when in safe mode.
> So, the CPU style DoS attack aside, do the above two cover all known
> vectors of attack?
Who knows? You've to audit *all* functions allowed in safe-lily.scm.
And you've to check every future change to those functions. I don't
believe that such a safe mode will ever be enough to make a program
really safe.
> >We'd like to add this functionality to lilypond itself, but that
> >takes more coding, of course. And such patches would need to be
> >examined very carefully; a badly-implemented security feature is
> >worse than no security feature at all!
> >
> Oh yeah. Not to be taken lightly!
> I suppose there could be an argument that protecting against resource
> hogging isn't in the remit of the lilypond itself - it's more a
> usage/context consideration - but it could be handy to have in embedded
> in lilypond.
No, why? You can limit resource access (cpu, memory, disk, network)
from whatever starts lilypond. Adding such functionality to lilypond
makes the code more complex and error-prone.
Ciao,
Kili
_______________________________________________
lilypond-user mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/lilypond-user
