Scanning a R script for potentially insidious commands
On Dec 19, 2012, at 7:38 AM, Joris Meys wrote:
On Wed, Dec 19, 2012 at 1:02 PM, Jan T Kim <jttkim at googlemail.com> wrote:
On Wed, Dec 19, 2012 at 12:39:21PM +0100, Joris Meys wrote:
The safest way to prevent attacks using an R connector, is managing the permissions for the application on your own server. We do that with the RStudio Server application we have running. You have to take into account that R allows for many interactions with the system. Also file(), dir(), unlink() and all sys. functions have the potential to screen and possibly alter your system. Not only system() and eval() pose a security
problem... just out of curiosity, how do you disable these functions?
You got me wrong: We don't disable these functions, we just don't give the R instance that's executing the file any permissions on the system. So trying to run any function that wants to access the system only results in error messages. I believe we did that by creating a specific user account and linked that to the R application behind the interface. But sandboxing (as you mentioned) is just as good.
Creating a *specific* user is not enough as instances can affect each other (i.e. any job running on such system is in jeopardy - you never know if your results were modified by a malicious process). Rserve allows separate uid/gid per connection so that's one way to tackle that - it also makes the separation easier. As Dirk pointed out on Linux there is AppArmor and sandbox on OS X if you want to limit what the user can do. And, indeed, trying to filter commands is not the right way as it's trivial to circumvent - anyone with access to R has the capability to run arbitrary native code with .C/.Call and you can't disable that without making R unusable. Cheers, Simon
-- Joris Meys Statistical consultant Ghent University Faculty of Bioscience Engineering Department of Mathematical Modelling, Statistics and Bio-Informatics tel : +32 9 264 59 87 Joris.Meys at Ugent.be ------------------------------- Disclaimer : http://helpdesk.ugent.be/e-maildisclaimer.php [[alternative HTML version deleted]]
______________________________________________ R-devel at r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-devel