[R-gui] RPad and Security

Iqbal Jamal iqbaljamal at shaw.ca
Thu Oct 25 19:00:11 CEST 2007


Thank you both for your comments.
We're using apache for our reporting website
and will take a look at rapache. We are looking
at building this in the next month and will talk
with our network and server security folks.

We may have other followup questions.

Thanks, Iqbal

At 07:50 AM 24/10/2007, Short, Tom wrote:
>Iqbal,
>
>I agree with Hadley. If you're concerned about security with Rpad or
>with any server technology that allows you to remotely run R code, you
>need to lock down your server (locking down R itself is almost
>impossible). That means only giving the apache user access to files it
>is supposed to access. To lock down servers even more, you can explore
>running processes in chroot jails, something like OpenVZ, or even
>full-blown VMWare machines (I haven't found the need for any of these,
>yet). Security systems like SELinux may also help restrict what the
>remote user can do. You could also explore requiring usernames and
>passwords to access your site (this is relatively easy with apache).
>
>Data lockdown is another issue. Write access is relatively easy, because
>you can handle that with file or database permissions. It is impossible
>to restrict read access remotely if the Rpad page can access the same
>data. If you need to shut out read access to data, then you need a
>server-oriented system like Jeffrey Horner's rapache.
>
>- Tom
>
>
>Tom Short
>Electric Power Research Institute (EPRI)
>
>-----Original Message-----
>From: r-sig-gui-bounces at stat.math.ethz.ch
>[mailto:r-sig-gui-bounces at stat.math.ethz.ch] On Behalf Of hadley wickham
>Sent: Wednesday, October 24, 2007 09:30
>To: Iqbal Jamal
>Cc: r-sig-gui at stat.math.ethz.ch
>Subject: Re: [R-gui] RPad and Security
>
>It's difficult to provide much security from within R due to the extreme
>difficulty of restricting potentially dangerous activities - and an
>experienced R user can usually get around any arbitrary restrictions you
>put it.  A more general technique is to make sure that the user running
>the rpad process has minimal security access (good practice anyway).
>
>Hadley
>
>On 10/23/07, Iqbal Jamal <iqbaljamal at shaw.ca> wrote:
> > Greetings:
> >
> > I am looking at using Rpad but concerned about security and access to
>files on our server.
> > Any suggestions/pointers/experiences from the list would be very
>helpful.
> >
> > Iqbal Jamal
> >
> >
> >         [[alternative HTML version deleted]]
> >
> > _______________________________________________
> > R-SIG-GUI mailing list
> > R-SIG-GUI at stat.math.ethz.ch
> > https://stat.ethz.ch/mailman/listinfo/r-sig-gui
> >
>
>
>--
>http://had.co.nz/
>
>_______________________________________________
>R-SIG-GUI mailing list
>R-SIG-GUI at stat.math.ethz.ch
>https://stat.ethz.ch/mailman/listinfo/r-sig-gui



More information about the R-SIG-GUI mailing list