On Fri, Aug 29, 2014 at 10:40 AM, Alexander Burger <a...@software-lab.de> wrote:
> The 'repl' in the PicoLisp release has about the same security as an SSH
> session (if it is used via an SSL session). With the standard role and
> permission system, you have a good control about who is allowed to use
The idea here is not access to the REPL, but (quote from the Tcl ref):
«safe to execute an arbitrary script from your worst enemy without
fear of that script damaging the enclosing application or the rest of
your computing environment.»
> Then, the most glaring security risks are the 'call' and 'pipe'
> functions, and the pipe functionalities of 'in', 'out' and 'load'. They
> allow a REPL user to directly access the interlying system. If these
> were disabled (can probably done on the Lisp level in the 'repl'
How would you disable them? Would this be ok?
(de annihilate @ (mapcar '((sym) (set sym NIL)) (rest)))
Then call it this way (I think that I understand now why low level functions
should evaluate their args):
(annihilate 'call 'pipe ...)
> function itself), attackers cannot call external commands or processes
> any more (can they?).
This is the delicate/time consuming part: testing, trying to crack a
> But then an attacker could still read many files. So perhaps disable all
> I/O functions? How far it makes sense to go?
No idea, but the Tcl guys may have think about this a lot. From the ref:
The following commands are hidden by interp create when it creates a
cd encoding exec exit
fconfigure file glob load
open pwd socket source
These commands can be recreated later as Tcl procedures or aliases, or
re-exposed by interp expose.
The following commands from Tcl's library of support procedures are
not present in a safe interpreter:
auto_exec_ok auto_import auto_load
auto_load_index auto_qualify unknown
I also thought about resources. For showcase purposes, a computation
running more than 5 seconds should be killed. What do you think?
I'm also asking the question in the context of Emulisp. If ever there
is a platform like
http://jsbin.com/ supporting PicoLisp, what «in browser» operations will be
safe to allow?
http://profgra.org/lycee/ (site pro)
http://delicious.com/profgraorg (liens, favoris)