On Mon, Jun 27, 2011 at 10:08 AM, Jukka Tuominen <jukka.tuomi...@finndesign.fi> wrote: > > So, once I hopefully have it working locally, how do I apply it into the > net-repl server? I think the following is the correct definition to be > tweaked (non-modified from net-repl). Do I add the sandbox-environment to > evals or something? > > (define net-repl-eval > (let ([eval (current-eval)])
You'll want to construct a sandboxed evaluator here, perhaps using `current-eval'. But more likely, you don't need `current-eval' at all. To create a sandbox, do something like this: (require racket/sandbox) (make-evaluator 'racket/base) That produces a procedure that works like `eval', but in a new sandbox that only has access to `racket/base'. > (lambda (exit) > (lambda (expr) > (if (equal? > (if (syntax? expr) > (syntax-object->datum expr) > expr) > '(#%top-interaction close)) > (exit) > (eval expr)))))) > > > br, jukka > > >> -----Original Message----- >> From: sam...@gmail.com [mailto:sam...@gmail.com]On Behalf Of Sam >> Tobin-Hochstadt >> Sent: 27 June 2011 16:53 >> To: Jukka Tuominen >> Cc: users@racket-lang.org >> Subject: Re: [racket] Limiting net-repl provided functions >> >> >> On Mon, Jun 27, 2011 at 9:48 AM, Jukka Tuominen >> <jukka.tuomi...@finndesign.fi> wrote: >> > BTW, 'secure' in this context may mean allowing even critical >> system calls >> > (say format harddisk), if so specified. But the user should not >> be able to >> > do anything else than specified. >> >> The `sandbox' infrastructure is fairly flexible. Just by constructing >> a namespace and doing the `eval' in that namespace, you'll be able to >> restrict which identifiers the remote user can refer to. If those are >> very limited, that might be enough for security. >> >> >> -----Original Message----- >> >> From: sam...@gmail.com [mailto:sam...@gmail.com]On Behalf Of Sam >> >> Tobin-Hochstadt >> >> Sent: 27 June 2011 16:10 >> >> To: Jukka Tuominen >> >> Cc: users@racket-lang.org >> >> Subject: Re: [racket] Limiting net-repl provided functions >> >> >> >> >> >> On Mon, Jun 27, 2011 at 8:48 AM, Jukka Tuominen >> >> <jukka.tuomi...@finndesign.fi> wrote: >> >> > >> >> > The basic client/server functionality is already working, but >> >> it's too big a >> >> > security risk outside LAN use. It seems to be easier to add >> >> functionality >> >> > than ripping them off. Perhaps creating a custom #%top definition to >> >> > interfere with the default symbol lookup...? >> >> >> >> The right place to look is at sandboxes: >> >> http://docs.racket-lang.org/reference/Sandboxed_Evaluation.html >> >> and namespaces: >> >> http://docs.racket-lang.org/guide/mk-namespace.html >> >> >> >> -- >> >> sam th >> >> sa...@ccs.neu.edu >> > >> > _________________________________________________ >> > For list-related administrative tasks: >> > http://lists.racket-lang.org/listinfo/users >> > >> >> >> >> -- >> sam th >> sa...@ccs.neu.edu > > _________________________________________________ > For list-related administrative tasks: > http://lists.racket-lang.org/listinfo/users > -- sam th sa...@ccs.neu.edu _________________________________________________ For list-related administrative tasks: http://lists.racket-lang.org/listinfo/users
