gildir has asked for the wisdom of the Perl Monks concerning the following question:
Recently I have made some experiments with Safe module, and that induced one idea in my head. I will explain it on an example.
Imagine that you are writing public CGI service or some templating system or whatever that includes perl code snippets. For speed optimizations you want to compile that public perl code once and run it many times over. Simple task so far, just use my $sub = eval "sub { $code }";. But, what if user includes open(P,"/etc/passwd"); print(<P>); in his code?
One possible solution is still simple, use a Safe module to restrict open opcode (as shown in Safe module security and emebeded perl). But I want an open function to be accessible to user, for example to enable user include his own files that are in his home directory, but nothing else.
And now the question:
Is there some way how to 'trap' some opcodes in perl, inspect arguments and then resume execution if everything is OK?
I seek funcionality very similar to Java sandbox. Can this be done in perl?
N.B. chroot is no solution. It will work for open, but not for other calls. For example it won't affect opening a socket to source server only in applet-like scenario.
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: Perl sandbox
by Fletch (Bishop) on Nov 06, 2001 at 20:07 UTC | |
Re: Perl sandbox
by jepri (Parson) on Nov 06, 2001 at 21:41 UTC | |
Re: Perl sandbox
by alien_life_form (Pilgrim) on Nov 06, 2001 at 21:50 UTC | |
Re: Perl sandbox
by cLive ;-) (Prior) on Nov 06, 2001 at 22:22 UTC | |
Re: Perl sandbox
by mr_mischief (Monsignor) on Nov 08, 2001 at 00:58 UTC |