lilypond-user
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: weblily: security risk

From: Graham Percival
Subject: Re: weblily: security risk
Date: Thu, 11 Mar 2010 00:59:43 +0000
User-agent: Mutt/1.5.18 (2008-05-17) 
I admit that I only tested getcwd, but doesn't a jail normally
report the main dir as / rather than /home/lily ?

... hmm, ok, apparently not.  Ok, it might be safe after all.  At
least, my earlier investigations were flawed, and I'm not keen to
continue snooping around.

- Graham

On Wed, Mar 10, 2010 at 09:29:59PM -0300, Han-Wen Nienhuys wrote:
> this is what weblily wrote to me a couple of weeks ago.
> 
> **
> Hi Han-Wen,
> 
> I've continued to work on weblily.net. Now it looks to me almost like
> something useful. Of cource, I've taken your advice and now LilyPond
> is running in a jail.
> 
> Quite cool: I modified the notation reference: When you click on one
> of the examples, it will be opened in weblily.net's editor.
> 
> Cheers,
> 
> Weblily
> **
> 
> On Wed, Mar 10, 2010 at 5:21 PM, Graham Percival
> <address@hidden> wrote:
> > Mr. Weblily,
> >
> > I like your enthusiasm with your weblily project, but for Mao's
> > sake please learn something about computer security.  The current
> > website is completely insecure.
> >
> > This is not a theoretical concern.  It would take me approximately
> > two minutes to delete everything in your /home/lily/ directory --
> > not just material in /home/lily/scores/.
> >
> >
> > I wouldn't do this, of course -- but if a non-expert like me could
> > do this so quickly, I'm certain that an experienced and malicious
> > hacker could do far worse.  Such as taking over your machine and
> > using it to attack other websites, distributing child porn, or
> > whatever.
> >
> > If you want to continue to run your project without any regard for
> > security, that's your business, but I want it understood that
> > YOU HAVE COMPLETELY DISREGARDED ALL COMMON SENSE AND HAVE NOT READ
> > THE MATERIAL ABOUT SECURITY IN OUR DOCUMENTATION.  YOU RUN
> > LILYPOND IN THIS FASHION COMPLETELY AT YOUR OWN RISK, AND IF THE
> > GERMAN EQUIVALENT OF THE FBI COMES KNOCKING ON YOUR DOOR ASKING
> > WHY YOU ARE DISTRIBUTING RIPS OF HOLLYWOOD MOVIES OR PIRATED
> > COMMERCIAL SOFTWARE, YOU CANNOT BLAME LILYPOND.
> >
> > The internet is not a playground.  If you're going to hand
> > complete control over your server to other people, you might not
> > like the consequences.
> >
> > - Graham Percival
> >
> >
> > _______________________________________________
> > lilypond-devel mailing list
> > address@hidden
> > http://lists.gnu.org/mailman/listinfo/lilypond-devel
> >
> 
> 
> 
> -- 
> Han-Wen Nienhuys - address@hidden - http://www.xs4all.nl/~hanwen
reply via email to
[Prev in Thread] Current Thread [Next in Thread]