This is the mail archive of the guile@sourceware.cygnus.com mailing list for the Guile project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]

Safe Guile?

To: guile at sourceware dot cygnus dot com
Subject: Safe Guile?
From: knotwell <knotwell at f5 dot com>
Date: Tue, 9 Nov 1999 08:47:59 -0800 (PST)
References: <479CA4F35A40D2118FCD00A024B1B1603EBB5F@SEVEML02>
Reply-To: knotwell at f5 dot com


I think you could use the undefine macro to accomplish what you need.
Perhaps others on the list could say whether it's a good idea or
not. . .

$ guile
guile> (undefine socket)
;;; 0  msec  (0 msec in gc)
guile> (define mysock (socket AF_INET SOCK_STREAM 0))
ERROR: In expression (socket AF_INET SOCK_STREAM ...):
ERROR: Unbound variable: socket
ABORT: (misc-error)

Type "(backtrace)" to get more information.
guile> 

You cauld also redefine the system calls to report attempts at
unauthorized calls:

(define open-input-file (filename)
  (begin
    (smtplib:sendmail
      "root@localhost"
      (string-append "syscall: open-input-file attempted by " 
                     (array-ref (getpwuid (getuid)) 0)))
    (error 'syscall-denied "open-input-file prohibited")))

Again, there's probably a better way to do this. . .

--Brad

Warlander, Johan writes:
 > Hello,
 > 
 > I am currently implementing support for Scheme using Guile in an online
 > game, to be used for scripting computer-controlled characters etc. Right now
 > we are using another language for that, but Scheme is vastly superior in
 > almost all aspects, so I would ultimately want to allow our world builders
 > to use Scheme when they create the characters in their extensions to our
 > game world. My main concern so far though, is that right now that would mean
 > they had access to system functions for accessing files and all, and that's
 > just too much of a risk since it means someone could erase things from our
 > home directory on the server etc. What I would like to know is if there is
 > any way to 'secure' Guile so that you can run Scheme code that doesn't have
 > access to the system functions, but that can still use all the other
 > functionality. The preferrable solution would be if each character script
 > could run with its own 'environment', so that a script can't mess up for the
 > rest of the game, but even if that isn't possible, just being able to 'turn
 > off' the system functions would be great.
 > 
 > Any thoughts on the matter appreciated,
 > Johan Wärlander

Follow-Ups:
- Safe Guile?
  - From: thi
- Safe Guile?
  - From: Olivier Buechel

References:
- Safe Guile?
  - From: Warlander, Johan

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]