lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Tuesday 23 August 2005 09:30, many people wrote:
> Lots of messages about sandboxing Lua

Wee! 40 messages waiting for me when I get in to work!

The reason why I'm posting this is that I've noticed that nobody's actually 
explained the following yet, which may help to clarify things slightly.

There are two parts to Lua; there's the language (if...then...end, 
while...end, function...end, etc), and there are the libraries (print, 
math.sin, io.open, etc). The Lua *language* has zero functionality for doing 
anything without the libraries. As all the libraries are accessed via global 
variables, and the set of global variables a piece of code has access to can 
be easily changed, this means that the set of available libraries is 
trivially customisable. This means that it's possible to remove *all* ways 
that a Lua script can interact with the outside world, by simply removing the 
set of available libraries.

This Lua program:

  script = io.read("*all")   -- read in text from stdin
  chunk = loadstring(script) -- compile into an executable Lua chunk
  setfenv(chunk, {})         -- completely empty the chunk's globals

  status, result = pcall(chunk) -- execute the chunk
  print("status=", status, " result=", result)

...implements a safe Lua interpreter. It will execute the Lua program given in 
stdin in a sandboxed environment; the only way the sandboxed program has of 
interacting with the outside world is to return a value --- try it. If you 
can break it, the devs here would love to know because it's a major bug. 
It'll even execute invalid Lua code safely, returning the error that occurred 
so your program can deal with it.

(Typically you wouldn't do the above, because there are a number of safe 
functions that all Lua programs use; tonumber(), tostring(), type(), 
unpack(), math, table, etc. You'd want to provide these to the sandboxed 
program.)

This *doesn't* put limits on CPU time and memory usage, but you can do that 
fairly easily by using the C API --- you'd set a timer that, when fired, 
would cause the sandboxed program to be terminated. By putting a bound on the 
amount of CPU time you automatically put a bound on the amount of memory, but 
that can be customised as well.

Does this help?

-- 
+- David Given --McQ-+ "...it's not that well-designed GUI's are rare,
|  dg@cowlark.com    | it's just that the three-armed users GUI's are
| (dg@tao-group.com) | designed for are rare." --- Mike Uhl on a.f.c
+- www.cowlark.com --+ 

Attachment: pgpK9jUBhFiVN.pgp
Description: PGP signature