Re: Security models in mzscheme ??

[Paul Graunke <ptg@cs.rice.edu>]

On Sat, Dec 02, 2000 at 11:59:09AM -0800, John Casu wrote:
> > 
> > You will also find the _threads_ and _custodians_ built into PLT
> > Scheme extremely useful for this task, to enforce timeouts and to
> > gather up resources allocated by the user's program.
> > 
> > The security risks of doing this are massive.  Be sure you know what
> > you're doing.
> 
> How would one go about adding a security model to mzscheme, so that you
> could run your cgi/scheme code in a sandbox ?
> 
> Specifically, given a granted authority, I'd like to be able to create a 
> new process, with a different capability or user/group id, to the parent.
> 
> I'm interested in building a scheme machine using the mzscheme/oskit
> combo, and I'd like to make that a multiuser system.
> 
> thanks,
> 
> john c.

To sand box a program you want to use the parameterize form to 
adjust thread local variables and start a new thread.  Various parameters
prevent the code from messing up the I/O ports (i.e. closing them), exiting,
registering code to run a garbage collection time, etc.  Using a new
custodian provides you with a way to shut down the user process and any of
its sub threads, and it also keeps it from shutting your threads down.

That alone is not enough, though, since it still has access to all the normal
file accessing primitives.  You also need to set up a namespace, probably
an empty one, and then add the things you want into it.  i.e. don't add
the delete-file primitive.

Users and groups is another can of worms.  You would need to provide wrappers
for the file primitives to implement your own file system on top of the
existing one, with meta information about the files (like owner, groups,
access privilages) somewhere else.

Paul