Thanks for your note Hadley,
I would like to defend against a broad range of malicious activity, but the
focus of this module is to restrict file I/O to a specific area on the file
system. I agree that's it's impossible to prevent, but I'm trying to
increase the difficulty level.
The user is inhibited from installing or loading packages, calling eval, or
any file I/O functions directly. Their script is checked to against a
relatively long list of banned commands. I'm intending to run this check after
swapping calls to I/O functions to my safer versions. I think it would be
easy for the script to remove or modify my replacement functions, but not so
easy to modify them to something harmful.
I really do appreciate the critique, but I'm especially looking for advice
to improve on this.
Regards,
Mike
On 8/16/07, hadley wickham <[EMAIL PROTECTED]> wrote:
>
> What are you trying to defend against? A serious attacker could still
> use rm/assign/get/eval/... to circumvent your replaced functions. I
> think it would be very difficult (if not impossible) to prevent this
> from happening), especially if the user can load packages.
>
> Hadley
>
> On 8/16/07, Michael Cassin <[EMAIL PROTECTED]> wrote:
> > Hi,
> >
> > I am trying to tighten file I/O security on a process that passes a
> > user-supplied script to R CMD Batch. Broadly speaking, I'd like to
> restrict
> > I/O to a designated path on the file system. Right now, I'm trying to
> > address this in the R environment by forcing the script to use modified
> > versions of scan, read.table, sys.load.image, etc.
> >
> > I can run a replace string on the user-supplied script so that, for
> example,
> > "scan(" is replaced by "safe.scan("
> >
> > e.g.
> >
> > > SafePath <- function(file)
> >
> {fp<-strsplit(file,"/");paste("safepath",fp[[1]][length(fp[[1]])],sep="/")}
> > > SafePath("/etc/passwd")
> > [1] "safepath/passwd"
> >
> > > Safe.scan <- function(file, ...) scan(SafePath(file),...)
> > > Safe.scan("/etc/passwd",what="",sep="\n")
> > Error in file(file, "r") : unable to open connection
> > In addition: Warning message:
> > cannot open file 'safepath/passwd', reason 'No such file or directory'
> >
> > I'd appreciate any critique of this approach. Is there something more
> > effective or elegant?
> >
> > Regards,
> > Mike
> >
> > [[alternative HTML version deleted]]
> >
> > ______________________________________________
> > [email protected] mailing list
> > https://stat.ethz.ch/mailman/listinfo/r-devel
> >
>
>
> --
> http://had.co.nz/
>
[[alternative HTML version deleted]]
______________________________________________
[email protected] mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel
