lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


I would like to make some remarks about your observations:

- About sandboxes: in Lua, the correct way to prepare a sandbox is
not to remove things from the environment, but to start with an empty
environment and add only the strictly necessary. In particular,
setglobals/ getglobals should never be part of a sandbox. If you do not
have getglobals, all problems about stealing disapear ("traps" 2, 3, and
4).

- about missing levels: as already explained, that was a bug. You still
cannot change the environment of a function that ended in a tail call,
but you do not get wrong results. Moreover, there is no tail call when
you call a C function, so "loadfile" always get the correct environment.

- "require" is a different thing. I do not think that a required module
should share the environment of the caller. A module must work
independently of who called it. About security breaches, there are
several solutions. You can simply do not put "require" inside the
sandbox, or you can set LUA_PATH to a place that have only "secure"
modules. A sandbox cannot change LUA_PATH (it has no access to the
global environment).

- you say "that a function is likely to return or produce closures
with different globals than those locally in effect is almost always
confusing." I did not understand that point. A function always produces
closures with the globals locally in effect.

Anyway, I've got the overall idea that the main problem is not the
environments per si, but the set/getglobals functions. We will not
change anything for 5.0 final (only their names), but we may change
those functions for 5.1, after all of us have more time to learn how
to use them.

-- Roberto