[Rd] Advice on parsing / overriding function calls
Prof Brian Ripley
ripley at stats.ox.ac.uk
Thu Aug 16 18:27:27 CEST 2007
On Thu, 16 Aug 2007, Simon Urbanek wrote:
> Thinking along these lines, we actually have a mechanism for
> replacing the system call (it's used by the Mac GUI to allow root
> calls) and one could think of expanding this to all critical
> operations. Clearly, there are issues (speed for example), but it
> would be nice to have a 'fortified' version of R that allows turing
> on restrictions. I don't think it's easy, but given the rising demand
> (at least in my perception), it would be interesting to see how far
> we can get.
> Re filtering strings in commands - I don't think this will work,
> because you can compute on the language, so you can construct
> arbitrary calls without using the names in verbatim, so it is
> possible to circumvent such filters fairly easily.
Exactly. All I would need is access to a file() connection, and I could
easily do that in such a way that 'file' never appeared in the script.
And I've thought of half a dozen backdoors that have not been mentioned in
I am not sure there is really much point in trying to fortify R, when
that's the OS's job and it may well be better to run R in a suitable
sandbox. Certainly I think that is the solution for web services.
One area where it may be necessary is embedded applications. Certainly if
R is embedded into the same process (which is how R as an shlib or DLL is
usually used) then you may want the main application to have privileges
you do not give to the embedded R. But using a separate process (e.g. via
Rserve) may be more secure.
> On Aug 16, 2007, at 9:23 AM, Hin-Tak Leung wrote:
>> Well, I think there are some serious use e.g. offering a web server
>> for script uploaded then downloading the Rout result back...
>> The issue is more about whether he wants to limit *all* file system
>> access or just limiting to certain areas. For the former,
>> I would set up a chroot jail and run R from within; for the latter,
>> I would probably do something with LD_LIBRARY_PRELOAD to override
>> all the file system accessing functions in libc directly, really.
>> That would fix the problem with system(rm) and some such, I think,
>> because if your entire R process and any sub-process R launches has no
>> access to the genuine libc fwrite/fread/etc functions you cannot do
>> any demage, right?
>> Both are tricky and take time to do (the chroot jail a bit easier,
>> actually...), but quite do-able.
>> It depends on (1) how paranoid you are, (2) how much trouble you
>> want to
>> have for yourself to achieve those restrictions...
>> hadley wickham wrote:
>>> What are you trying to defend against? A serious attacker could
>>> use rm/assign/get/eval/... to circumvent your replaced functions. I
>>> think it would be very difficult (if not impossible) to prevent this
>>> from happening), especially if the user can load packages.
>>> On 8/16/07, Michael Cassin <michael at cassin.name> wrote:
>>>> I am trying to tighten file I/O security on a process that passes a
>>>> user-supplied script to R CMD Batch. Broadly speaking, I'd like
>>>> to restrict
>>>> I/O to a designated path on the file system. Right now, I'm
>>>> trying to
>>>> address this in the R environment by forcing the script to use
>>>> versions of scan, read.table, sys.load.image, etc.
>>>> I can run a replace string on the user-supplied script so that,
>>>> for example,
>>>> "scan(" is replaced by "safe.scan("
>>>>> SafePath <- function(file)
>>>>  "safepath/passwd"
>>>>> Safe.scan <- function(file, ...) scan(SafePath(file),...)
>>>> Error in file(file, "r") : unable to open connection
>>>> In addition: Warning message:
>>>> cannot open file 'safepath/passwd', reason 'No such file or
>>>> I'd appreciate any critique of this approach. Is there something
>>>> effective or elegant?
Brian D. Ripley, ripley at stats.ox.ac.uk
Professor of Applied Statistics, http://www.stats.ox.ac.uk/~ripley/
University of Oxford, Tel: +44 1865 272861 (self)
1 South Parks Road, +44 1865 272866 (PA)
Oxford OX1 3TG, UK Fax: +44 1865 272595
More information about the R-devel