guile-user
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Restricting Guile: a Guile-based sandbox.

From: Martin Grabmueller
Subject: Re: Restricting Guile: a Guile-based sandbox.
Date: Wed, 12 Sep 2001 13:45:08 +0200 
> From: Alejandro Forero Cuervo <address@hidden>
> Date: Tue, 11 Sep 2001 15:53:12 -0500
> 
> 1. Restrict the maximum time a given call to gh_eval_call might take.
>    Hopefully without using alarm(2).  The restriction might be based
>    on the number of cycles or total number of function calls or
>    something along those lines.  I just need to make sure a malicious
>    user can't take control of the server process through here.

This is currently not possible with Guile.  Maybe the alarm(2) version
could work, but I have not tried that yet.

> 2. Restrict the maximum memory a given call to gh_eval_call might
>    consume.

Same for this.

> 3. Restrict the functions/symbols provided in the environment that the
>    gh_eval_call evaluates in to a specific set, so only functions I
>    explicitly list can be executed.

This should be possible by using ``safe environments'' and `eval'.  I
suggest you grab the 1.5.2 beta of Guile and have a look in the
directory `examples/safe', which contains an example for how these
environments are made and used.

> 4. Reset the environment after executing the user's code, so that if
>    it defined symbols, they will be lost and the memory they used will
>    be freed.  This is necessary so the users won't be able to corrupt
>    the environment in any way.

With the abovementioned method, you simply throw an environment away
which has been used for executing user code, so no corruption or
memory hogging should be possible.

Unfortunately it appears that Guile was not designed with sandboxing
in mind.

Best regards,
  'martin
reply via email to
[Prev in Thread] Current Thread [Next in Thread]