On Thu, May 21, 2009 at 11:41:36AM +0100, Alex wrote:
Yeah, I've just been looking at safe-lily.scm which appears to filter
any given module against the safe funcs....
Also I saw the bit that bans include files when in safe mode.
So, the CPU style DoS attack aside, do the above two cover all known
vectors of attack?
Who knows? You've to audit *all* functions allowed in safe-lily.scm.
And you've to check every future change to those functions. I don't
believe that such a safe mode will ever be enough to make a program
really safe.
We'd like to add this functionality to lilypond itself, but that
takes more coding, of course. And such patches would need to be
examined very carefully; a badly-implemented security feature is
worse than no security feature at all!
Oh yeah. Not to be taken lightly!
I suppose there could be an argument that protecting against resource
hogging isn't in the remit of the lilypond itself - it's more a
usage/context consideration - but it could be handy to have in embedded
in lilypond.
No, why? You can limit resource access (cpu, memory, disk, network)
from whatever starts lilypond. Adding such functionality to lilypond
makes the code more complex and error-prone.