Re: [Rd] Advice on parsing / overriding function calls

From: Hin-Tak Leung <hin-tak.leung_at_cimr.cam.ac.uk>
Date: Thu, 16 Aug 2007 14:23:31 +0100

Well, I think there are some serious use e.g. offering a web server for script uploaded then downloading the Rout result back...

The issue is more about whether he wants to limit *all* file system access or just limiting to certain areas. For the former, I would set up a chroot jail and run R from within; for the latter, I would probably do something with LD_LIBRARY_PRELOAD to override all the file system accessing functions in libc directly, really. That would fix the problem with system(rm) and some such, I think, because if your entire R process and any sub-process R launches has no access to the genuine libc fwrite/fread/etc functions you cannot do any demage, right?
Both are tricky and take time to do (the chroot jail a bit easier,
actually...), but quite do-able.

It depends on (1) how paranoid you are, (2) how much trouble you want to have for yourself to achieve those restrictions...

hadley wickham wrote:

> What are you trying to defend against?  A serious attacker could still
> use rm/assign/get/eval/... to circumvent your replaced functions.  I
> think it would be very difficult (if not impossible) to prevent this
> from happening), especially if the user can load packages.
> 
> Hadley
> 
> On 8/16/07, Michael Cassin <michael_at_cassin.name> wrote:

>> Hi,
>>
>> I am trying to tighten file I/O security on a process that passes a
>> user-supplied script to R CMD Batch. Broadly speaking, I'd like to restrict
>> I/O to a designated path on the file system. Right now, I'm trying to
>> address this in the R environment by forcing the script to use modified
>> versions of scan, read.table, sys.load.image, etc.
>>
>> I can run a replace string on the user-supplied script so that, for example,
>> "scan(" is replaced by "safe.scan("
>>
>> e.g.
>>
>>> SafePath <- function(file)
>> {fp<-strsplit(file,"/");paste("safepath",fp[[1]][length(fp[[1]])],sep="/")}
>>> SafePath("/etc/passwd")
>> [1] "safepath/passwd"
>>
>>> Safe.scan <- function(file, ...) scan(SafePath(file),...)
>>> Safe.scan("/etc/passwd",what="",sep="\n")
>> Error in file(file, "r") : unable to open connection
>> In addition: Warning message:
>> cannot open file 'safepath/passwd', reason 'No such file or directory'
>>
>> I'd appreciate any critique of this approach. Is there something more
>> effective or elegant?
>>
>> Regards,
>> Mike
>>
>> [[alternative HTML version deleted]]
>>
>> ______________________________________________
>> R-devel_at_r-project.org mailing list
>> https://stat.ethz.ch/mailman/listinfo/r-devel
>>
>
>

R-devel_at_r-project.org mailing list
https://stat.ethz.ch/mailman/listinfo/r-devel Received on Thu 16 Aug 2007 - 13:44:20 GMT

Archive maintained by Robert King, hosted by the discipline of statistics at the University of Newcastle, Australia.
Archive generated by hypermail 2.2.0, at Thu 16 Aug 2007 - 17:38:45 GMT.

Mailing list information is available at https://stat.ethz.ch/mailman/listinfo/r-devel. Please read the posting guide before posting to the list.