[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: LuaJIT FFI __gc metamethod?
- From: Josh Haberman <jhaberman@...>
- Date: Mon, 28 Feb 2011 22:24:03 +0000 (UTC)
Josh Haberman <jhaberman <at> gmail.com> writes:
> For example, suppose you had a design
> where the entire process acts on behalf of a user
Maybe we're saying the same thing, but in different ways.
Even in the design I described, all of the user's code runs
in a process for that user, that can be killed at will --
maybe that's what you mean by "the only reasonably safe way
to run untrusted/malicious Lua scripts is to sandbox it
at the process level."
But even if you run the untrusted script in its own process,
you still need a sandbox to prevent it from making arbitrary
system calls. ptrace(2) is one option, but AFAIK Lua (without
FFI) can be sufficiently sandboxed such that a ptrace sandbox
is not necessary. But with FFI, it appears this is not possible.