|
| From: | Alex |
| Subject: | Re: lilypond via web interface: security considerations |
| Date: | Wed, 20 May 2009 10:42:28 +0100 |
| User-agent: | Thunderbird 2.0.0.21 (Windows/20090302) |
Daniel Hulme wrote:
This might sound like nitpicking, but since security's concerned, I want to be absolutely clear. On Tue, May 19, 2009 at 01:08:28PM -0400, Mike Blackstock wrote:Furthermore, you just limit the number of utilities you put in the /bin directories; if you don't have the 'rm' command in there, then it can't be run, obviously.Removing the 'rm' binary will slow down someone who's trying to inject commands by having you process "myfile.ly ; rm -rf /" but it won't stop someone using Guile's POSIX system call module to do the same thing. A chroot jail will keep the webserver safe, but it won't stop people writing a Lilypond file that downloads a list of email addresses and send spam to all of them.
Good point...
-dsafe aims to protect against all of these attacks, but unless you know exactly what it permits and denies you can't know whether it's appropriate for the kind of use you intend.
This page: http://lilypond.org/doc/v2.10/Documentation/user/lilypond/Invoking-lilypondseem to suggest that jail or safe option is to be used in a web server setting, but I get the impression from the comments here that it shouldn't be trusted? i.e. functionality involved might be out of date?
An alternative for my own context could be to just offer a subset of lilypond functionality, and reject any output that goes beyond that. That is prone to error though.
lex
| [Prev in Thread] | Current Thread | [Next in Thread] |