Menu
▾
▴
Re: disabling 'insecure' parts of gnuplot file
|
From: Edward P. <es...@pg...> - 2004-08-31 23:36:50
|
On Tue, Aug 31, 2004 at 02:41:28PM -0700, Ethan Merritt wrote: > On Tuesday 31 August 2004 12:47 pm, Edward Peschko wrote: > > > > > you could disable pipes, but the program you were left with wouldn't > > > be very useful. > > > > not really true, IMO. In mediawiki we'd probably want to limit plotting to inline, > > which I asked about the other time. IE: it would be up to the user to use programs > > to create data, etc. which would then be uploaded to mediawiki. > > ??? > What do you mean by "in line"? > I normally interpret that to mean "via pipe", but that's exactly what > you would be disabling. plot '-' index 0, '-' index1 .. .. .. .. e via help plot special I'm assuming this isn't implemented via pipes, but I to be fair I don't know. > > > I think the only possible mechanism would be to create a > > > wrapper script that set the UID/EID to a non-privileged user > > > with no permission to write outside of a captive directory tree. > > > > Its barely possible, but its still pretty ugly... You'd need a separate > > user/etc for each graph. > > I don't think you would. The wrapper script itself could save the > output graph back to the user's own area. Its flow would look like: > stdin = open input > stdout = open output > drop privileges > mkdir /tmp_<process_id> > chroot /tmp_<process_id> gnuplot yes, I could do this (I guess). It sort of sucks that I need to bend the tool in order to get something done though. And chroot itself is a pain in the #!% to get working correctly. You need to get the entire library structure, all associated files with the command put underneath /tmp/_<process_id> in order to run it (remember - the OS doesn't have access to them as soon as you run chroot). And you'd have to do this with *every call to chroot*. Plus, portability would go out the window because different systems would require different files to be copied for chroot, and some systems chroot doesn't work under anything but 'root' - so you'd need root perms to run it. And trying to sell the idea of making it standard functionality to include with mediawiki would be well-nigh impossible. I think you should take the effort to make it compilably secure, but that's just me... I would think that you would *want* the ability to run gnuplot using users' input. It would make the tool that much more powerful. Ed |
