[R-gui] RPad and Security

Short, Tom TShort at epri.com
Wed Oct 24 15:50:54 CEST 2007


Iqbal,

I agree with Hadley. If you're concerned about security with Rpad or
with any server technology that allows you to remotely run R code, you
need to lock down your server (locking down R itself is almost
impossible). That means only giving the apache user access to files it
is supposed to access. To lock down servers even more, you can explore
running processes in chroot jails, something like OpenVZ, or even
full-blown VMWare machines (I haven't found the need for any of these,
yet). Security systems like SELinux may also help restrict what the
remote user can do. You could also explore requiring usernames and
passwords to access your site (this is relatively easy with apache).

Data lockdown is another issue. Write access is relatively easy, because
you can handle that with file or database permissions. It is impossible
to restrict read access remotely if the Rpad page can access the same
data. If you need to shut out read access to data, then you need a
server-oriented system like Jeffrey Horner's rapache. 

- Tom


Tom Short
Electric Power Research Institute (EPRI)
 
-----Original Message-----
From: r-sig-gui-bounces at stat.math.ethz.ch
[mailto:r-sig-gui-bounces at stat.math.ethz.ch] On Behalf Of hadley wickham
Sent: Wednesday, October 24, 2007 09:30
To: Iqbal Jamal
Cc: r-sig-gui at stat.math.ethz.ch
Subject: Re: [R-gui] RPad and Security

It's difficult to provide much security from within R due to the extreme
difficulty of restricting potentially dangerous activities - and an
experienced R user can usually get around any arbitrary restrictions you
put it.  A more general technique is to make sure that the user running
the rpad process has minimal security access (good practice anyway).

Hadley

On 10/23/07, Iqbal Jamal <iqbaljamal at shaw.ca> wrote:
> Greetings:
>
> I am looking at using Rpad but concerned about security and access to
files on our server.
> Any suggestions/pointers/experiences from the list would be very
helpful.
>
> Iqbal Jamal
>
>
>         [[alternative HTML version deleted]]
>
> _______________________________________________
> R-SIG-GUI mailing list
> R-SIG-GUI at stat.math.ethz.ch
> https://stat.ethz.ch/mailman/listinfo/r-sig-gui
>


--
http://had.co.nz/

_______________________________________________
R-SIG-GUI mailing list
R-SIG-GUI at stat.math.ethz.ch
https://stat.ethz.ch/mailman/listinfo/r-sig-gui



More information about the R-SIG-GUI mailing list