Sandboxing librarys

Hello!

In my program I try to allow any user to write own code (event handler
here) to be loaded and included automatically.

To enhance security, can I prevent the author to use specific
functions like eval, exec, File.* and so on?

If I can, is it then secure? My goal is to let the author only write
handler functions that return something but he must not for example
modify the system classes, write files, do network and something like
that..

Thanks for suggestions!

Dominik

To enhance security, can I prevent the author to use specific
functions like eval, exec, File.* and so on?

Look at $SAFE

Guy Decoux

check out the capability security model.
http://www.erights.org/elib/capability/index.html
http://www.skyhunter.com/marcs/capabilityIntro/index.html

'from objects to capabilities':
http://www.erights.org/elib/capability/ode/ode-capabilities.html

peace,
-z

ts writes:

>
> > To enhance security, can I prevent the author to use specific
> > functions like eval, exec, File.* and so on?
>
> Look at $SAFE

is that like perl's Safe module, with configurable departments
for evaluation ?

Klaus Schilling

> To enhance security, can I prevent the author to use specific
> functions like eval, exec, File.* and so on?

Look at $SAFE

So I can load external code which can't modify anything else but
itself.

But how can I prevent the code from reading all files?
Docs say only "Can't load a file from a world-writable directory."

And how can I remove any function I do not want from the wrapping
environment while I for myself am still able to use them?

Or is already done by using anonymous modules? If yes, how? I couldn't
understand this

thanks!
Dominik

This is one area I would like to see improve. I think
there should be support to limit memory, processes,
threads, etc.

SAFE provides limited restrictions.

--- klaus schilling <510046470588-0001@t-online.de>
wrote:

is that like perl's Safe module, with configurable departments
for evaluation ?

I don't know Safe

Guy Decoux

Or is already done by using anonymous modules? If yes, how? I couldn't
understand this

It's really depend on what you want to do, this is why it's difficult to
give a general response. A stupid example :

svg% cat b.rb
#!/usr/bin/ruby
file = "#{ENV['HOME']}/c.rb"
begin
   Thread.new do
      $SAFE = 4
      load(file, true)
   end.join
rescue
   p $!
end

load(file)
svg%

svg% cat c.rb
#!/usr/bin/ruby
system("echo hello")
svg%

svg% b.rb
#<SecurityError: Insecure operation - system>
hello
svg%

Guy Decoux

This is one area I would like to see improve. I think
there should be support to limit memory, processes,
threads, etc.

These are OS things and must be done at OS level

Guy Decoux

These are things that *could* be built in features as
well. It would be nice to set limits without running
expternal commands.