A while back I discussed the problems with the node-sandbox module, I wrote a solution, but it broke on newer v8s, have not spent the time to track down the problem. Even then serious care must always be taken to not allow remote code execution. I know ways that horrify people using just type coercion. But lets get down to the truth of security:
Go to the OS. Do not trust scrubbing things yourself and always enforce OS level security if you are serious. Here are the basics: 1. put people in a jail of some kind (kernel namespaces, classic fs jail, etc. according to needs) 2. strip them of ALL permissions possible (this also includes knowing how FS permissions work (ie, drop them to a low level folder they do not have access to, then put something inside for them to play in)) 3. put them in a different process that is started in a detached state 4. use a bootstrap to scrub the env & the argv (particularly argv[0]) 5. set the resource limits on the Job/Process Group/Project/etc. that your OS calls a group of processes and children. similar to w/e user you drop them into (man quota or w/e apt.) 6. don't use a chroot as a jail. 7. if you are truly paranoid / have a highly specialized use case 7.1 use "Function" with a capital F started in a different context to run user code. 7.1.1 Enforce a strict mode wrapper to non-strict wrapper inside of the runner. 7.2 only allow people to pass around serialized data (JSON, strings, etc.) to the outer context. 7.3 no function sharing, no object sharing (use a deep copy from inside the target context that is not available from the target context due to being inside a closure). 7.3.1 deep copy should be in strict mode and used on anything you ever see from user code 7.4 if sharing privileged functions such as the deep copy in #6, do not use any `.` properties (save w/e you need before you get to code by users) 7.5 do not invoke a function call on anything you get from outside your function 7.6 do not use type coercion on any objects you get 7.7 do not return a value from your function 7.8 nest a function and check the inner function has the right new Error().stack (arguments.caller is overridable, stack is set). #7 is generally unnecessary, but depends on what you are trying for. I would talk to a PaaS for Node about the problems they have seen (probably results in small consulting fee `if` they are willing). Email me if you have questions. -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
