lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Tue Aug 23, 2005 at 12:41:36 +0100, Jamie Webb wrote:
>On Mon, Aug 22, 2005 at 10:58:25PM -0300, Alain wrote:
>> That is ok and most of the time works. Users most of the time have a way 
>> of transforming a situation, and then is when I don't trust them.
>> 
>> If a user can say: "The specs say it is Lua code, this is Lua code so it 
>> should work for you too". That is when they get most agressive. When I 
>> can say that it isn *not* lua, but something with special limitation and 
>> if I can enforce such limitations, then I *can*trust* the users because 
>> they have no ground for argueing.
>> 
>> In the last years, I learned some interesting things about users: if 
>> they thing that they will get away with it, they will try to break it. 
>> If they feel that you can catch them (audit logs, video recordings) then 
>> they don't even try.
>
>So, replace all the 'dangerous' functions with:
>
>function os.execute()
>	emailSysAdmin()
>	print [[
>This function is disabled. You are very bad for trying to use it. The
>system administrator has been notified. Big brother is watching.
>]]
>end
>
>If you run Lua with a sandbox, it /is/ a restricted version and you
>/can/ enforce that. And you /can/ tell your users it's a restricted
>version. Why are you so convinced that sandboxing won't do what you
>want?

Everyone here seem to be missing what the OP wants, which is that they
want to change the *syntax* of Lua, not the functions a user can
access.[*]

So, for example the probably don't want them defining function, or using
loops.

Of course, I agree with the other replies that this probably isn't something
that can easily be done in Lua.


Cheers,

Benno

[*] Disclaimer: I could of course be wrong, but that was the impression I got
when reading the original posts.