[plt-scheme] Insecure procedures

From: Eli Barzilay (eli at barzilay.org)
Date: Tue Aug 17 19:04:38 EDT 2004

On Aug 17, Don Felgar wrote:
> >   (current-security-guard
> >    (make-security-guard
> >     (current-security-guard)
> >     (lambda (who path what)
> >       (when (memq 'execute what)
> >         (error "I'm sorry Dave, I'm afraid I can't do that.")))
> >     void))
> > 
> > I don't see the problem with `eval' etc.
> On second thought you must be right about eval.
> 'System' effectively gives the remote user a shell on the server.  I
> agree this isn't necessarily bad, but it's useless for my
> application and therefore creates work and risk on my part.

The above sample should take care of this.

> The is true in varying degrees with require, load, open-input-file
> and anything else I haven't thought of.

Well, all of these can basically open a file and read it.  If you
prevent reading certain files, then load and open-input-file should be
impossible.  You might want to also inspect the path argument and
forbidding access to some parts of the file system.

> > If you're planning to let different users run code, then you'll
> > probably want to set each user with a different namespace.  (I
> > once hacked a remote Scheme thing which did something similar, in
> > case you want some half baked code.)
> Please do email the code.  In fact I planned to make namespaces the
> topic of my next question so I'm sure it will save me time.  I
> promise not to sneer or make derisive remarks about your half-baked
> code the way the ladies do to me behind my back.

No problems.  It's pretty ancient, so I had a quick pass to make sure
that it works with v208.  What it does is run a Scheme server, letting
people connect and use it, where each connection gets its own
"shell".  There are some shell commands (like pwd, cs, ls, rm) and
ways to run stuff in the background (if an evaluation take a while,
you can press C-z and it gets backgrounded).  There is also a "say"
command that everyone connected sees, and my plan was to make it
possible to create any object (like a closure) and hand it over to
some other connected user which will get to use it.


(This is unrelated to R-Scheme.)

          ((lambda (x) (x x)) (lambda (x) (x x)))          Eli Barzilay:
                  http://www.barzilay.org/                 Maze is Life!

Posted on the users mailing list.