[Rd] Operator masks in R, restrict set of applicable functions

Michael Dondrup michael.dondrup at cebitec.uni-bielefeld.de
Mon Mar 27 18:59:09 CEST 2006

Thank you very much,
Sorry for bothering again, but how about this:

 > assignInNamespace('system',function(...)stop('No system!'),'base')
 > system()
Error in system() : No system!
 > base::system()
Error in base::system() : No system!
 > detach(package:utils) # no way back?

I guess there is a way to circumvent that, too?
Of course, if it works, it's tideous work to do this for all unsafe 
functions (of course: file, url, unlink, dyn.load,...,  maybe I'm just 
too cautious )
I would really  like to chroot the R-process, and agree it would be the 
best option, but I'm using RSPerl, which loads R.so. Hence, I cannot 
restrict R-code more than the web-server(at least I think so). Though 
this would be necessary, as the web-server accesses some files that 
unsafe code should never even be able to read, including the cgi-scripts.

Thank you again

Prof Brian Ripley wrote:
> On Mon, 27 Mar 2006, Michael Dondrup wrote:
>>is there a way to restrict the set of admissible functions for an eval()
>>statement to a possibly 'safe' set, excluding all potentially dangerous
>>functions like 'system', 'open', etc.(like, for instance, in the 'Safe'
>>module for Perl)?
> In short, no.  (BTW, what is unsafe about 'open'?  What are you trying to 
> circumvent here?  E.g. unlink() might be on your list, as might file().)
> The normal approach is to run R in an environment which restricts what the 
> user can do: that should be sufficient to avoid unwanted file deletions, 
> for example.
> One could argue that a lot of these operations should be in a package 
> other than base, but much of R is itself written in R and assumes them. 
> (I did look into putting system() and file.*() in utils when the current 
> organization of packages was made, but at least at the time they were too 
> deeply embedded in other functionality.)
> One idea would be to evaluate your expression in a strictly controlled 
> environment of your own choosing, but there are ways for knowledgeable 
> users to circumvent that (see below).
>>The background for this question is, that this would be run in a
>>CGI-environment. The user should be able to input some R-code (a
>>function assignment), thereafter the code is parsed, evaluated and the
>>type of function parameters checked by a call to 'formals'
>>like in:
>>>expr <- parse(text='foo <- function(x = numeric()){mean(x)}')
>>of course, this is highly dangerous, given this setting, as one could try
>>>expr <- parse(text='system("ls");
>>foo <- function(x = numeric()){mean(x)}') # or more evil things
>>I know I could do something like
>>>system <- function(...) stop ('This is not allowed!')
>>but it's rather likely to miss one of the 'bad' functions.
> But a user can use base::system, and load packages which could contain 
> arbitrarily dangerous code (even its own compiled-code version of system).
>>Any ideas would be appreciated.
>>Michael Dondrup
>>R-devel at r-project.org mailing list

Dipl. Inform. Michael Dondrup
CeBiTec - http://www.cebitec.uni-bielefeld.de/~mdondrup
Bielefeld University,  D-33594 Bielefeld, Germany

More information about the R-devel mailing list