What are you trying to defend against? A serious attacker could still
use rm/assign/get/eval/... to circumvent your replaced functions. I
think it would be very difficult (if not impossible) to prevent this
from happening), especially if the user can load packages.
Hadley
On 8/16/07, Michael Cassin <michael at cassin.name>
wrote:> Hi,
>
> I am trying to tighten file I/O security on a process that passes a
> user-supplied script to R CMD Batch. Broadly speaking, I'd like to
restrict
> I/O to a designated path on the file system. Right now, I'm trying to
> address this in the R environment by forcing the script to use modified
> versions of scan, read.table, sys.load.image, etc.
>
> I can run a replace string on the user-supplied script so that, for
example,
> "scan(" is replaced by "safe.scan("
>
> e.g.
>
> > SafePath <- function(file)
>
{fp<-strsplit(file,"/");paste("safepath",fp[[1]][length(fp[[1]])],sep="/")}
> > SafePath("/etc/passwd")
> [1] "safepath/passwd"
>
> > Safe.scan <- function(file, ...) scan(SafePath(file),...)
> >
Safe.scan("/etc/passwd",what="",sep="\n")
> Error in file(file, "r") : unable to open connection
> In addition: Warning message:
> cannot open file 'safepath/passwd', reason 'No such file or
directory'
>
> I'd appreciate any critique of this approach. Is there something more
> effective or elegant?
>
> Regards,
> Mike
>
> [[alternative HTML version deleted]]
>
> ______________________________________________
> R-devel at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
>
--
http://had.co.nz/