Well, you may use separate node process, but you should run in in chroot or jail if you want a real safity here.
Cheers, Fedor. On Mon, Jul 2, 2012 at 8:16 PM, Will Riley <[email protected]> wrote: > Ah, I see. I saw in the docs that it says "safely running untrusted code > requires a separate process", but could you elaborate on that? Would it be > better to use vanilla v8 for something like this? > > > On Monday, July 2, 2012 10:53:26 PM UTC-4, Ben Noordhuis wrote: >> >> On Tue, Jul 3, 2012 at 4:27 AM, Will Riley <[email protected]> wrote: >> > Hi, >> > >> > Right now I'm working on a sandbox library for node.js. I'd most likely >> be >> > using vm.runInNewContext to prevent any unwanted methods (eg >> process.kill) >> > from becoming accessible, and the untrusted code would run in a >> different >> > node process. >> > >> > I'm looking into the possibility of enabling code to call a wrapped >> > 'require()' for loading a restricted set of modules (eg 'crypto' or >> 'util'), >> > or even exposing wrapped versions of 'net' or 'fs' that restrict their >> use >> > to certain paths/addresses. This is mainly for performance reasons, >> > otherwise I'd do I/O in the main process. >> > >> > I'm a bit concerned that somehow, 'process.binding()' is going to >> become >> > accessible to the untrusted code if I expose a module to it. Is this an >> > irrational concern, or would it be more secure to wrap process.binding >> in >> > the global scope of my sandbox before running the untrusted code? >> > >> > Thanks again! >> >> The vm module is *not* for running untrusted code. A sandbox != secure >> jail. >> >> We warn about it in the docs but maybe we have to be more explicit >> about it because questions like yours come up often. >> > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
