On Wed, Dec 19, 2012 at 1:02 PM, Jan T Kim <jtt...@googlemail.com> wrote:
> On Wed, Dec 19, 2012 at 12:39:21PM +0100, Joris Meys wrote: > > The safest way to prevent attacks using an R connector, is managing the > > permissions for the application on your own server. We do that with the > > RStudio Server application we have running. You have to take into account > > that R allows for many interactions with the system. Also file(), dir(), > > unlink() and all sys. functions have the potential to screen and possibly > > alter your system. Not only system() and eval() pose a security > problem... > > just out of curiosity, how do you disable these functions? You got me wrong: We don't disable these functions, we just don't give the R instance that's executing the file any permissions on the system. So trying to run any function that wants to access the system only results in error messages. I believe we did that by creating a specific user account and linked that to the R application behind the interface. But sandboxing (as you mentioned) is just as good. -- Joris Meys Statistical consultant Ghent University Faculty of Bioscience Engineering Department of Mathematical Modelling, Statistics and Bio-Informatics tel : +32 9 264 59 87 joris.m...@ugent.be ------------------------------- Disclaimer : http://helpdesk.ugent.be/e-maildisclaimer.php [[alternative HTML version deleted]] ______________________________________________ R-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-devel
