[Rd] R in sandbox/jail (long question)

Matt Shotwell shotwelm at musc.edu
Wed May 19 22:26:54 CEST 2010


How about some "computing on the language", something like this:
  
exprs <- parse("SCRIPT.R")
invalids <- c(".Internal", ".Primitive")
if( any( invalids %in% all.names(exprs) ) )
   stop("sandbox check failed")


I believe this would prevent evaluating any direct calls to '.Primitive'
and '.Internal'. Of course, you could extend the 'invalids' vector to
include any names. If you want to consider arguments to calls (i.e.
argument to 'file' or 'library') or something more sophisticated, check
out the functions in the codetools package, something like this:


library(codetools)

walkerCall <- function(e, w) {
  for( ee in as.list(e)) {
    if(!missing(ee)) {
      if(is.call(ee)) {

        #stop .Internal calls
        if(ee[1] == call(".Internal"))
          stop("invalid \'.Internal()\' call")

        #restrict file to STDIN
        if(ee[1] == call("file")) {
          mc <- match.call(file, ee)
          if(mc[[2]] != "stdin")
            stop("\'file()\' only valid with \'description=\"stdin\"\'")
        }

      }
      walkCode(ee, w)
    }
  }
}

walker <- makeCodeWalker(call=walkerCall, leaf=function(e,w){})
exprs <- parse("SCRIPT.R")
for( expr in exprs ) 
    walkCode(expr,walker)

I'm a little surprised this there isn't a 'sandbox' package or something
similar to this. A reverse depends check on the codetools package
indicates there is not. However, I believe there is some demand for it.

Matt Shotwell
http://biostatmatt.com


On Tue, 2010-05-18 at 22:38 -0400, Assaf Gordon wrote:
> Hello,
> 
> I have a setup similar to Rweb (  http://www.math.montana.edu/Rweb/ ):
> I get R scripts from users and need to execute them in in a safe manner (they are executed automatically, without human inspection).
> 
> I would like to limit the user's script to reading from STDIN and writing to STDOUT/ERR.
> Specifically, preventing any kind of interaction with the underlying operating system (files, sockets, system(), etc.).
> 
> I've found this old thread:
> http://r.789695.n4.nabble.com/R-in-a-sandbox-jail-td921991.html
> But for technical reasons I'd prefer not to setup a chroot jail.
> 
> I have written a patch that adds a "--sandbox" parameter.
> When this parameter is used, the user's script can't create any kind of connection object or run "system()".
> 
> My plan is to run R like this:
> 
> cat INPUT | R --vanila --slave --sandbox --file SCRIPT.R > OUTPUT
> 
> Where 'INPUT' is my chosen input and 'SCRIPT.R' is the script submitted by the user.
> If the script tries to create a conncetion or run a disabled function, an error is printed.
> 
> This is the patch:
> http://cancan.cshl.edu/labmembers/gordon/files/R_2.11.0_sandbox.patch
> 
> So my questions are:
> 1. Would you be willing to consider this feature for inclusion ?
> 2. Are there any other 'dangerous' functions I need to intercept ( ".Internal" perhaps ?)
> 
> All comments and suggestions are welcomed,
> thanks,
>    -gordon
> 
> ______________________________________________
> R-devel at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel



More information about the R-devel mailing list