R in sandbox/jail (long question)
On 18/05/2010 10:38 PM, Assaf Gordon wrote:
Hello, I have a setup similar to Rweb ( http://www.math.montana.edu/Rweb/ ): I get R scripts from users and need to execute them in in a safe manner (they are executed automatically, without human inspection). I would like to limit the user's script to reading from STDIN and writing to STDOUT/ERR. Specifically, preventing any kind of interaction with the underlying operating system (files, sockets, system(), etc.). I've found this old thread: http://r.789695.n4.nabble.com/R-in-a-sandbox-jail-td921991.html But for technical reasons I'd prefer not to setup a chroot jail. I have written a patch that adds a "--sandbox" parameter. When this parameter is used, the user's script can't create any kind of connection object or run "system()".
That sounds too restrictive. R uses connections internally in various places, with no reference to the file system. It also uses them when reading its own files. So if you stop a user from creating connections, you'll somehow need to distinguish between user-created ones and internally necessary ones: not easy. My plan is to run R like this:
cat INPUT | R --vanila --slave --sandbox --file SCRIPT.R > OUTPUT Where 'INPUT' is my chosen input and 'SCRIPT.R' is the script submitted by the user. If the script tries to create a conncetion or run a disabled function, an error is printed. This is the patch: http://cancan.cshl.edu/labmembers/gordon/files/R_2.11.0_sandbox.patch So my questions are: 1. Would you be willing to consider this feature for inclusion ? 2. Are there any other 'dangerous' functions I need to intercept ( ".Internal" perhaps ?)
.Internal is needed by tons of base functions. So again, you'll need to distinguish where the call is coming from, and that's not easy. Duncan Murdoch
All comments and suggestions are welcomed, thanks, -gordon
______________________________________________ R-devel at r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-devel