[plt-scheme] Re: Sandboxing and modules

From: David Van Horn (dvanhorn at cs.uvm.edu)
Date: Sat Feb 7 12:47:07 EST 2004

Markku Rontu wrote:
> Hello again,
> 
> I received this (partial) answer from Jens and he requested to forward this to
> the list as well. His code does get around the name conflicts but,
> unfortunately, it's not a suitable solution as is. Why? The user can evaluate
> code like:
> 
> ---
> 
> (#%require (rename mzscheme delete-file delete-file))
> (delete-file ...)
> 
> ---
> 
> This is security by obscurity and not a real solution for a sandbox. Any more
> ideas?

You can prevent file and network access with Security Guards (Sec. 9.1 of 
MzScheme Language Manual).

Eg. the following should disallow all network and file access attempts by 
untrusted-s-expr (not tested):

(parameterize ((current-security-guard
                 (make-security-guard (current-security-guard)
                                      (lambda _ #f)
                                      (lambda _ #f))))
   (eval untrusted-s-expr))

David



Posted on the users mailing list.