On Tuesday 23 August 2005 09:30, many people wrote:
> Lots of messages about sandboxing Lua
Wee! 40 messages waiting for me when I get in to work!
The reason why I'm posting this is that I've noticed that nobody's actually
explained the following yet, which may help to clarify things slightly.
There are two parts to Lua; there's the language (if...then...end,
while...end, function...end, etc), and there are the libraries (print,
math.sin, io.open, etc). The Lua *language* has zero functionality for doing
anything without the libraries. As all the libraries are accessed via global
variables, and the set of global variables a piece of code has access to can
be easily changed, this means that the set of available libraries is
trivially customisable. This means that it's possible to remove *all* ways
that a Lua script can interact with the outside world, by simply removing the
set of available libraries.
This Lua program:
script = io.read("*all") -- read in text from stdin
chunk = loadstring(script) -- compile into an executable Lua chunk
setfenv(chunk, {}) -- completely empty the chunk's globals
status, result = pcall(chunk) -- execute the chunk
print("status=", status, " result=", result)
...implements a safe Lua interpreter. It will execute the Lua program given in
stdin in a sandboxed environment; the only way the sandboxed program has of
interacting with the outside world is to return a value --- try it. If you
can break it, the devs here would love to know because it's a major bug.
It'll even execute invalid Lua code safely, returning the error that occurred
so your program can deal with it.
(Typically you wouldn't do the above, because there are a number of safe
functions that all Lua programs use; tonumber(), tostring(), type(),
unpack(), math, table, etc. You'd want to provide these to the sandboxed
program.)
This *doesn't* put limits on CPU time and memory usage, but you can do that
fairly easily by using the C API --- you'd set a timer that, when fired,
would cause the sandboxed program to be terminated. By putting a bound on the
amount of CPU time you automatically put a bound on the amount of memory, but
that can be customised as well.
Does this help?
--
+- David Given --McQ-+ "...it's not that well-designed GUI's are rare,
| dg@cowlark.com | it's just that the three-armed users GUI's are
| (dg@tao-group.com) | designed for are rare." --- Mike Uhl on a.f.c
+- www.cowlark.com --+
Attachment:
pgpQVookuIpbZ.pgp
Description: PGP signature