[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gcl-devel] Re: si::socket security
|
From: |
Camm Maguire |
|
Subject: |
[Gcl-devel] Re: si::socket security |
|
Date: |
28 Oct 2005 15:48:05 -0400 |
|
User-agent: |
Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 |
Greetings!
In principle you are right, but in practice things are far safer.
Remember that shortly we will spawn these sockets or similar
preconnected and with no tcp/ip connection routines at all -- what we
are playing with now as an early indicator of parallel GCL was really
designed to allow one to write lisp internet server functions,
specifically, axiom wants to serve up its documentation from within
lisp to a web browser. So with that inevitably comes the security
issue.
One can attempt to restrict connections within the function itself,
but most typically this is done at the kernel level by the system
administrator. The chances that any decent system would silently open
these ports to the internet is virtually nil I'd think these days.
One has to explicitly open a hole in whatever firewall one has
guarding the system to get this sort of access. For example, for your
host from here:
telnet (your host) 1927
Trying (your ip)...
telnet: Unable to connect to remote host: Connection refused
A useful tool is nmap -- it can tell you which ports are accessible
from any host outside your machine.
I'd wager that on any machine you'd run across, the only ports open to
incoming connections from the internet are a few (~ 10) well selected
ones below 1000, i.e. governed by root/sysadmin. We can confirm this
if you are concerned.
Take care,
Robert Boyer <address@hidden> writes:
> It seems to me that executing something such as (start-eval-server) opens a
> user up to maximal security disruption.
>
> For example, can't anyone then do something like (e (delete-file "bar.lisp"))
> to delete a file from anywhere on the internet?
>
> Creating such a giant security hole seems to me very, very serious. But
> maybe I am missing something big.
>
> Bob
>
> -------------------------------------------------------------------------------
>
> (defun start-eval-server ()
> (si::socket
> 1927
> :server
> #'(lambda (s)
> (prin1 (eval (read s nil 10)) s)
> (write-char #\Newline s)
> (force-output s)
> (bye))
> :daemon t))
>
> (defun e (x)
> (let ((s (si::socket 1927 :host "(your host)")))
> (prin1 x s)
> (write-char #\Newline s)
> (force-output s)
> (loop while (not (listen s)) do (sleep 1))
> (prog1 (read s nil 'eof) (close s))))
>
>
>
--
Camm Maguire address@hidden
==========================================================================
"The earth is but one country, and mankind its citizens." -- Baha'u'llah
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Gcl-devel] Re: si::socket security,
Camm Maguire <=