[Sugar-devel] programming on thin ice
Bert Freudenberg
bert at freudenbergs.de
Fri Jan 30 04:09:29 EST 2009
On 30.01.2009, at 09:38, Morgan Collett wrote:
> On Fri, Jan 30, 2009 at 04:59, Benjamin M. Schwartz
> <bmschwar at fas.harvard.edu> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Walter Bender wrote:
>>> (1) A simple idea I am exploring are to allow Turtle Art users to
>>> enter simple Python commands directly into a block, as per
>>> http://sugarlabs.org/go/Image:Ta-sin.png
>>
>> Beautiful.
>>
>>> But here is my question:
>>>
>>> My code for #1 above is:
>>>
>>> def myfunc(lc, f, x):
>>> myf = "def f(x): return " + f
>>> userdefined = {}
>>> try:
>>> exec myf in globals(), userdefined
>>> except:
>>> raise logoerror("#syntaxerror")
>>> return userdefined.values()[0](x)
>>>
>>> What I am concerned about is making the system vulnerable by letting
>>> arbitrary functions to execute within TA.
>>
>> Don't worry about it. Three reasons:
>>
>> 1. You're right. Rainbow's protections here are strong. The
>> user-modified code can neither read nor write nor overwrite the
>> contents
>> of the Journal, for example. There are lots of other bad things it
>> could
>> do, like fill the disk with junk, break the TurtleArt icons so that
>> TurtleArt won't start, or flood the network, but
>>
>> 2. the user is writing this code themselves. They'd have to go to
>> great
>> lengths, just to (very temporarily) break their own machine.
>> Besides,
>>
>> 3. the remaining issues in (1) should be fixed inside Rainbow,
>> rather
>> than ineffectually patched by each Activity.
>
> Pippy already lets them write and run arbitrary code in the UI.
>
> If they can run Terminal, they can write and run arbitrary code.
This is different because Terminal is not protected by Rainbow. And
even super user rights are readily available there.
User code in an activity is more dangerous because it is more easily
shared between users. Now that we can effortlessly send Journal
entries to other users, the user-code inside these entries could do
considerable harm. While direct file access is disallowed by Rainbow,
the datastore API is still completely unprotected. One could easily
write some code into the extended TurtleArt tile that deletes all
entries in the Journal, or sends them to a server.
Rainbow was designed to counter those attacks but it's not implemented
yet afaik.
And for Sugar running on other Linux distros I think Rainbow is not
even supported, is it? So there an activity can access or delete all
the user's files. Which is the reason that the Squeak VM has a sandbox
mode that limits file access for Etoys projects.
Unfortunately this appears to be infeasible for the Python VM which
has a gazillion of modules that each would have to be sandboxed. But
maybe (as Walter suggested) there was a limit on the imports you could
do?
- Bert -
More information about the Sugar-devel
mailing list