[racket] planet security

From: Tom McNulty (tom at cetiforge.com)
Date: Thu Jan 27 14:23:39 EST 2011

I second this concern, and such attacks become easier to pull of when targeting a centralized system.  I'm not sure a safe-require routine could work though, as ultimately many of these packages are downloaded for their side effects (database drivers etc). 

Even if some sandboxed scheme could be devised, there is still no assurance the code you're running is what the (trusted) author intended;  an attacker could insert a 'safe' data-diddling routine.  Perhaps a key-signing system similar to secure-apt could ameliorate some of these concerns. 

On 2011-01-27, at 11:45 AM, Nikita B. Zuev wrote:

> If I understand correctly when we require a module from the planet, it
> gets downloaded to racket home directory, compiled and required.
> Racket's require is not just about getting definitions, it also
> evaluates code inside required module.
> So in theory a malicious person can make a planet package that provide
> something useful and also behind the scenes evaluates something like:
> (system "sudo rm -rf /")
> I prefer to think that there are no such people using racket, but with
> it's (racket's) growing popularity this can become the case. Recent
> events with planet made me more cautious.
> I wonder if there is a way to create something like `safe-require'
> using racket sandboxes, that will allow to require modules in context
> where they can not perform any `unsafe' IO, access network,
> filesystem, shell etc?
> -- 
> Regards,
> Nikita B. Zuev
> _________________________________________________
>  For list-related administrative tasks:
>  http://lists.racket-lang.org/listinfo/users

Posted on the users mailing list.