Menu
▾
▴
Re: disabling 'insecure' parts of gnuplot file
|
From: Edward P. <es...@pg...> - 2004-08-31 19:54:43
|
On Tue, Aug 31, 2004 at 12:30:38PM -0700, Ethan Merritt wrote: > On Tuesday 31 August 2004 11:50 am, Edward Peschko wrote: > > And is the above the only dangerous behaviour that is possible from gnuplot? > > No. Not by a long shot. > > Consider: > > set output "~/.login" # trash the user's login file > print `dd if=/bin/zero of=/somewhere/bad` # abuse the back-tic syntax > plot '< rm -rf .' #abuse the pipe mechanism > sh "bad command" # abuse the shell escape mechanism > > You'd have to disable all of these, and probably a few more > that I'm not thinking of at the moment. > Disabling shell escapes and back-tics would not harm most > applications. But disabling pipes, in particular, > would drastically cripple gnuplot's flexibility and ability to work with > other programs. That's probably a deal-breaker right there; well, of course I wouldn't expect a safe version of gnuplot to come standard - I could live with compiling gnuplot with a separate flag that gets rid of these things. > you could disable pipes, but the program you were left with wouldn't > be very useful. not really true, IMO. In mediawiki we'd probably want to limit plotting to inline, which I asked about the other time. IE: it would be up to the user to use programs to create data, etc. which would then be uploaded to mediawiki. > And what could you possibly do to limit "set output <foo>"? disallow it... let output only go to STDOUT.. > I think the only possible mechanism would be to create a > wrapper script that set the UID/EID to a non-privileged user > with no permission to write outside of a captive directory tree. Its barely possible, but its still pretty ugly... You'd need a separate user/etc for each graph. Suppose we had a chroot jail and someone did 'rm -rf /'? The fact that it only eliminated all of the mediawiki graphs is pretty small consolation.. Ed |