Dear All, new to haskell, so this might be obvious, but... I'm setting up a gallery installation (OSX) that exposes a command line haskell to the visitors. The process is run with user 'nobody', so hopefully that will be a bit safer, i.e. cat visitor_commands_pipe | sudo -u nobody ghci -XOverloadedStrings But how question are: 1) what sort of damage could a malicious user do to my system by entering commands into the pipe? 2) what should I do to protect my system? I can filter the user commands as I like, but I do not want to run 'in a webpage'. Thanks in advance, -Duncan.
hi,
The process is run with user 'nobody', so hopefully that will be a bit safer, i.e.
a bit, yes. apart from breaking out of the account (and becoming root) via os vulnerabilities the user can send any network traffic they like, which might or might not be ok. also there might be any number of important processes running for user nobody. you better use a dedicated user for running ghci. that might also allow you to sandbox the account easier (firewall and dac's/mac's, etc. i don't know what's available on mac os x). you might also like to look into SafeHaskell to restrict what users can do. good luck, tobias florek
hi,
The process is run with user 'nobody', so hopefully that will be a bit safer, i.e.
a bit, yes. apart from breaking out of the account (and becoming root) via os vulnerabilities the user can send any network traffic they like, which might or might not be ok. also there might be any number of important processes running for user nobody. you better use a dedicated user for running ghci. that might also allow you to sandbox the account easier (firewall and dac's/mac's, etc. i don't know what's available on mac os x). you might also like to look into SafeHaskell to restrict what users can do. good luck, tobias florek
Hi Duncan, I'd highly recommend using something like mueval: http://hackage.haskell.org/package/mueval In the setup you suggested malicious user can: 1) execute other processes (to create a remote shell using nc, or to try to exploit suid binaries), 2) do any network IO (to send spam for example), 3) read files readable to all users (kind of obvious, but /etc/passwd can be read by anyone on the system -- attackers can learn who uses the system, what services are running), 4) it allows access to loopback interface which it makes it very hard to firewall it properly. And this is only the stuff that came up to my mind in 5 minutes. Basically this setup is like giving anyone access to shell. Cheers, Mateusz On Thu, Feb 13, 2014 at 08:29:31AM +0000, Duncan Rowland wrote:
Dear All,
new to haskell, so this might be obvious, but...
I'm setting up a gallery installation (OSX) that exposes a command line haskell to the visitors. The process is run with user 'nobody', so hopefully that will be a bit safer, i.e.
cat visitor_commands_pipe | sudo -u nobody ghci -XOverloadedStrings
But how question are: 1) what sort of damage could a malicious user do to my system by entering commands into the pipe? 2) what should I do to protect my system? I can filter the user commands as I like, but I do not want to run 'in a webpage'.
Thanks in advance, -Duncan. _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Duncan Rowland
2) what should I do to protect my system? I can filter the user commands as I like, but I do not want to run 'in a webpage'.
You might want to read http://www.haskell.org/haskellwiki/Safely_running_untrusted_Haskell_code which explains the security measures taken by "lambdabot" (an IRC bot which executes any Haskell code it's sent) Cheers, Chris
participants (4)
-
Chris Warburton -
Duncan Rowland -
Mateusz Lenik -
Tobias Florek