[Rd] question

Thomas Lumley thomas@biostat.washington.edu
Wed, 15 Mar 2000 08:35:12 -0800 (PST)


On Wed, 15 Mar 2000, Erich Neuwirth wrote:

> here is another question (kurt already knows about it).
> i would like to do a client server version
> of R where the server can run on a unix box and the client
> is excel ond a win machine.
> the easiest solution would be running a stdin-stdout version
> of the server through inetd.
> but this is vulnerable.
> so what is needed is a sandbox version of the server,
> where no acrtive access to the file system is open
> and where spawning processes is disabled.
> are there any plans for doing such a version?


This would be very hard to do properly.  It's certainly possible to
disable the interpreted commands that access the file system, and even to
remove them from the symbol table so that .C and .Internal can't get to
them. This would stop accidental damage or casual attacks.

However I don't think we can disable .C/.Fortran completely.  By passing
data of the wrong types to .C a sufficiently malicious program can
overwrite the stack and get with very little effort the sort of effect
that usually takes buffer overflows. 

I think a secure version of R would require rewriting all the important .C
and .Fortran code to use Internal or .Call and then disabling .C and
.Fortran as well as system() and all the file access commands (or perhaps 
restricting the file access to a specific tree as http servers do).

In the foreseeable future I think the solution is to assume that R can
execute arbitrary code and either run in a safe account or authenticate
the connection somehow. 


	-thomas

-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
r-devel mailing list -- Read http://www.ci.tuwien.ac.at/~hornik/R/R-FAQ.html
Send "info", "help", or "[un]subscribe"
(in the "body", not the subject !)  To: r-devel-request@stat.math.ethz.ch
_._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._