lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

I feel like a lot of other replies are focusing on the exact question
of preventing modification of global table rather than intent of
isolating scripts from one another.

Say you've somehow managed to disallow modification of global table.
Some malicious party then still can make others execute their code by
doing things like

string.sub = function() return "Evil!" end

The only method to avoid this pitfall would be creating a full deep
copy of default state, being careful not to miss anything - at which
point creating separate Lua state for each script is probably a more
viable idea. From what I remember, Lua states are pretty light anyways,
so memory usage shouldn't be of great concern.
In addition to this, you'll also want to do usual sandboxing stuff to
protect host itself - disable loading from bytecode, most/all of debug
library, etc..

On Wed, 2022-01-19 at 15:35 +0200, Meir Shpilraien wrote:
> Hi everyone,
> I was wondering what is the recommended way to disallow script
> changing the global table. The problem I am facing, assuming I
> provide for example an api to the users, A1, another user can do:
> 'A1=function ... end', and override my implementation of A1 and cause
> all other users to run his code.
> I can think of multiple ways:
> 1. Create a lua vm per script - this requires a lot of memory
> 2. Different environments per script - also might require a lot of
> memory
> 3. Make the global table a Readonly tables as
> described here:, though in
> this way user can use rawset to bypass it, and I can not use a
> userdata to avoid it because I can not set a usedata as a global
> table (and I do not want to disallow rawset).
> Is there any other way to lock the global table from any changes?
> I am using lua 5.1.5.
> Thanks.
> Disclaimer
> The information contained in this communication from the sender is
> confidential. It is intended solely for use by the recipient and
> others authorized to receive it. If you are not the recipient, you
> are hereby notified that any disclosure, copying, distribution or
> taking action in relation of the contents of this information is
> strictly prohibited and may be unlawful.

v <>