[Rd] Advice on parsing / overriding function calls

Hin-Tak Leung hin-tak.leung at cimr.cam.ac.uk
Thu Aug 16 15:23:31 CEST 2007

Well, I think there are some serious use e.g. offering a web server
for script uploaded then downloading the Rout result back...

The issue is more about whether he wants to limit *all* file system 
access or just limiting to certain areas. For the former,
I would set up a chroot jail and run R from within; for the latter,
I would probably do something with LD_LIBRARY_PRELOAD to override
all the file system accessing functions in libc directly, really.
That would fix the problem with system(rm) and some such, I think,
because if your entire R process and any sub-process R launches has no 
access to the genuine libc fwrite/fread/etc functions you cannot do
any demage, right?
Both are tricky and take time to do (the chroot jail a bit easier, 
actually...), but quite do-able.

It depends on (1) how paranoid you are, (2) how much trouble you want to 
have for yourself to achieve those restrictions...

hadley wickham wrote:
> What are you trying to defend against?  A serious attacker could still
> use rm/assign/get/eval/... to circumvent your replaced functions.  I
> think it would be very difficult (if not impossible) to prevent this
> from happening), especially if the user can load packages.
> Hadley
> On 8/16/07, Michael Cassin <michael at cassin.name> wrote:
>> Hi,
>> I am trying to tighten file I/O security on a process that passes a
>> user-supplied script to R CMD Batch.  Broadly speaking, I'd like to restrict
>> I/O to a designated path on the file system. Right now, I'm trying to
>> address this in the R environment by forcing the script to use modified
>> versions of scan, read.table, sys.load.image, etc.
>> I can run a replace string on the user-supplied script so that, for example,
>> "scan(" is replaced by "safe.scan("
>> e.g.
>>> SafePath <- function(file)
>> {fp<-strsplit(file,"/");paste("safepath",fp[[1]][length(fp[[1]])],sep="/")}
>>> SafePath("/etc/passwd")
>> [1] "safepath/passwd"
>>>  Safe.scan <- function(file, ...) scan(SafePath(file),...)
>>> Safe.scan("/etc/passwd",what="",sep="\n")
>> Error in file(file, "r") : unable to open connection
>> In addition: Warning message:
>> cannot open file 'safepath/passwd', reason 'No such file or directory'
>> I'd appreciate any critique of this approach.  Is there something more
>> effective or elegant?
>> Regards,
>> Mike
>>         [[alternative HTML version deleted]]
>> ______________________________________________
>> R-devel at r-project.org mailing list
>> https://stat.ethz.ch/mailman/listinfo/r-devel

More information about the R-devel mailing list