[Rd] R in sandbox/jail (long question)

Assaf Gordon assafgordon at gmail.com
Wed May 19 04:38:36 CEST 2010


Hello,

I have a setup similar to Rweb (  http://www.math.montana.edu/Rweb/ ):
I get R scripts from users and need to execute them in in a safe manner (they are executed automatically, without human inspection).

I would like to limit the user's script to reading from STDIN and writing to STDOUT/ERR.
Specifically, preventing any kind of interaction with the underlying operating system (files, sockets, system(), etc.).

I've found this old thread:
http://r.789695.n4.nabble.com/R-in-a-sandbox-jail-td921991.html
But for technical reasons I'd prefer not to setup a chroot jail.

I have written a patch that adds a "--sandbox" parameter.
When this parameter is used, the user's script can't create any kind of connection object or run "system()".

My plan is to run R like this:

cat INPUT | R --vanila --slave --sandbox --file SCRIPT.R > OUTPUT

Where 'INPUT' is my chosen input and 'SCRIPT.R' is the script submitted by the user.
If the script tries to create a conncetion or run a disabled function, an error is printed.

This is the patch:
http://cancan.cshl.edu/labmembers/gordon/files/R_2.11.0_sandbox.patch

So my questions are:
1. Would you be willing to consider this feature for inclusion ?
2. Are there any other 'dangerous' functions I need to intercept ( ".Internal" perhaps ?)

All comments and suggestions are welcomed,
thanks,
   -gordon



More information about the R-devel mailing list