lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Indeed, there are definitely different use cases for config files, with different levels of trust - from "only the sysadmin should be able to edit this, so if they put something stupid in there, that's their own fault" to "anything the user runs could potentially put something stupid in here" to "people will be downloading these and expecting them to be trustable", and also from "this script should have the ability to do just about anything" (things like changing the locale, setting resource limits) to "this script is expected to only use the provided functions to describe an object". Depending on the use case you might want more or less sandboxing, or none at all.

Assigning resource limits to the process is certainly one solution, but that applies to the entire process. Is it possible to remove those limits after reading the config? Once a process drops root privileges, AFAIK it can't get them back, because that would defeat the entire purpose (once malicious code had taken over the process, it could just re-request root privileges). Does the same not apply to resource limits?

On Thu, Dec 19, 2013 at 10:54 AM, Roberto Ierusalimschy <roberto@inf.puc-rio.br> wrote:
> Rather than controlling what users can do, I would prefer to control the effect they can have. Why should they not have the benefit of a full featured language to configure your program?
>
> So, for example, assuming you are using Lua as an embedded language, run the configuration script in its own Lua state and then have a (protected) procedure to copy the resultant data structures over into your main Lua state, with verification and filtering as necessary.
>

Probably I am being too naive, but I have written a very simple sandbox
that seems to be enough to ensure a "safe" execution of a script. It
simply uses debug hooks to control CPU usage, finalizers to control
memory usage, and a restricted environment (emtpy by default) to control
what the script can call. It would be nice if other people could
check it. (It assumes Lua 5.2.)

-- Roberto



This looks like an interesting approach, and I'll have to try it out. I hadn't thought of using debug hooks to limit what functions can be called.

--
Sent from my Game Boy.