[Rd] locking down R

Ben Bolker bbolker at gmail.com
Mon May 20 17:09:20 CEST 2013 

On 13-05-20 04:42 AM, Barry Rowlingson wrote:
> On Sun, May 19, 2013 at 7:16 PM, Ben Bolker <bbolker at gmail.com> wrote:
>>
>> The workstations have no access to external networks,
>> nor to external media (thumb drives etc.) [information transfer to the
>> outside world is via shared drives that can be accessed by
>> administrators with network access].
>>
>> * I stipulate that (1) the security policies don't make sense,
> 
>  Correct. If the machines aren't on an external network and have no
> removable media then this isn't about security from the outside
> hacker, its about trust. The organisation does not trust YOU.
> 
> (2)
>> allowing users access to arbitrary shell commands should _not_ represent
>> a security risk on a well-administered, modern operating system (they're
>> running WinXP),
> 
>  When does WinXP go out of support? Even so, the PC isn't on the
> network right? So what's the security issue? Doesn't make sense. You
> can't stomp on other people's files. Would it matter if you could
> accidentally see other people's files because they set permissions
> loosely? How compartmentalised are the projects?

   That is indeed one of the major concerns.  The administrators could
certainly lock the file access down more than they have (permissions are
restricted, but I have information about the existence of lots of
directories that I don't have permission to access: the system would
probably be more secure if I couldn't even see the top level of these
directories).

>  (3) R probably offers many other avenues for system
>> access to a malicious user, even in the absence of shell access,
>> compilers, etc..
> 
>  The 'malicious user' here is on the inside. The only way to get on
> the machine is to be physically there? Then a malicious user can only
> be a trusted user gone bad. A sufficiently malicious user with
> hardware access can (nearly) always break the thing open and get at
> the data (even if it comes down to reading data lines with a tap to
> get at unencrypted streams). Tell the security guys they need to lock
> the PCs up in a room and provide thin client access over a secure
> private network at once. Enjoy your new Windows Client Access License
> costs.
> 
>  Glad I don't work for someone like that.

  For what it's worth, (1) the people I deal with directly are very
nice, but not technically astute; the problem is more one of a large
bureaucracy covering its ass in some nonsensical ways; (2) this is only
a tiny component of my work.  If I get really frustrated with this I can
just drop it.

  I agree with your analysis of the real security situation, more or
less. (The PCs are pretty secure physically; it would be pretty hard to
break into the boxes without being noticed ...), but I think this
<http://xkcd.com/651/> is  a pretty good analogy for the kind of
argument I could get into here.

More information about the R-devel mailing list