Actually we're in agreement; as you put it, a %100 secure system is beyond
the means of
most people.
So I'll 'rephrase what I wrote earlier : "Although theoretically possible,
real world considerations
are such that a %100 secure publicly- accessible webserver that is within
the financial means of
On 22 May 2009, at 14:43, Graham Percival wrote:
Of course, 'security' is relative - nothing will stop a commited
hacker who's targeted your system, so I'm a bit mystified by
some of the other responses here.
That's not true -- The only reason that computer security is a
joke is that people *t
Graham Percival wrote:
On Thu, May 21, 2009 at 02:47:54PM -0400, Mike Blackstock wrote:
Of course, 'security' is relative - nothing will stop a commited
hacker who's targeted your system, so I'm a bit mystified by
some of the other responses here.
That's not true -- The only reason tha
On Thu, May 21, 2009 at 02:47:54PM -0400, Mike Blackstock wrote:
> Of course, 'security' is relative - nothing will stop a commited
> hacker who's targeted your system, so I'm a bit mystified by
> some of the other responses here.
That's not true -- The only reason that computer security is a
joke
No problem; if you do implement a chroot jail, the Sessink kit will make it
relatively painless.
Of course, 'security' is relative - nothing will stop a commited hacker
who's targeted your system, so I'm a bit
mystified by some of the other responses here. The original question was how
to prevent
On Thu, May 21, 2009 at 8:38 AM, Matthias Kilian wrote:
> On Thu, May 21, 2009 at 11:41:36AM +0100, Alex wrote:
>> Yeah, I've just been looking at safe-lily.scm which appears to filter
>> any given module against the safe funcs
>> Also I saw the bit that bans include files when in safe mode.
>
Matthias Kilian wrote:
On Thu, May 21, 2009 at 11:41:36AM +0100, Alex wrote:
Yeah, I've just been looking at safe-lily.scm which appears to filter
any given module against the safe funcs
Also I saw the bit that bans include files when in safe mode.
So, the CPU style DoS attack aside, do
On Thu, May 21, 2009 at 11:41:36AM +0100, Alex wrote:
> Graham Percival wrote:
>> On Wed, May 20, 2009 at 10:42:28AM +0100, Alex wrote:
>>
>> This is what -dsafe does. However, this disallows many useful
>> tweaks, and also doesn't stop a particular snippet from using
>> massive CPU resources.
On Thu, May 21, 2009 at 11:41:36AM +0100, Alex wrote:
> Yeah, I've just been looking at safe-lily.scm which appears to filter
> any given module against the safe funcs
> Also I saw the bit that bans include files when in safe mode.
> So, the CPU style DoS attack aside, do the above two cover a
Graham Percival wrote:
On Wed, May 20, 2009 at 10:42:28AM +0100, Alex wrote:
An alternative for my own context could be to just offer a subset of
lilypond functionality, and reject any output that goes beyond that.
This is what -dsafe does. However, this disallows many useful
tweak
On Wed, May 20, 2009 at 10:42:28AM +0100, Alex wrote:
> An alternative for my own context could be to just offer a subset of
> lilypond functionality, and reject any output that goes beyond that.
This is what -dsafe does. However, this disallows many useful
tweaks, and also doesn't stop a par
Daniel Hulme wrote:
This might sound like nitpicking, but since security's concerned, I want
to be absolutely clear.
On Tue, May 19, 2009 at 01:08:28PM -0400, Mike Blackstock wrote:
Furthermore, you just limit the number of utilities you put in the
/bin directories; if you don't have the 'rm
Mike Blackstock wrote:
Install Lilypond in its own chroot jail using Olivier Sessink's
jailkit available
at http://olivier.sessink.nl/jailkit/ A 'chroot jail' means putting Lilypond on
its own filesystem so that nefarious activity - such as deleting
arbitrary files -
will be limited to the Lilypo
This might sound like nitpicking, but since security's concerned, I want
to be absolutely clear.
On Tue, May 19, 2009 at 01:08:28PM -0400, Mike Blackstock wrote:
> Furthermore, you just limit the number of utilities you put in the
> /bin directories; if you don't have the 'rm' command in there, th
Install Lilypond in its own chroot jail using Olivier Sessink's
jailkit available
at http://olivier.sessink.nl/jailkit/ A 'chroot jail' means putting Lilypond on
its own filesystem so that nefarious activity - such as deleting
arbitrary files -
will be limited to the Lilypond file system. Furthermo
Francisco Vila wrote:
2009/5/18 Alex :
Clearly I'll have to be very careful about what is permitted!
When you say that you know how to solve these issues - can you elaborate
please? Do you mean in terms of the changes required to lilypond to enable a
"locked down" mode, or something else?
2009/5/18 Alex :
> Clearly I'll have to be very careful about what is permitted!
>
> When you say that you know how to solve these issues - can you elaborate
> please? Do you mean in terms of the changes required to lilypond to enable a
> "locked down" mode, or something else?
It is called the 'sa
On Mon, May 18, 2009 at 03:12:16PM +0100, Alex wrote:
> Graham Percival wrote:
>> Search the mailist archives on this list and the -devel list for a
>> discussion. In summary:
>>
> When you say that you know how to solve these issues - can you elaborate
> please?
Have you read the previous d
Graham Percival wrote:
#(system 'rm -rf /')
or something like that.
Search the mailist archives on this list and the -devel list for a
discussion. In summary:
1) somebody could wipe out anything that the web interface
software can touch.
3) somebody could read anything that the web interface so
Joseph Haig wrote:
2009/5/18 Alex :
I'm wanting to run lilypond behind a web interface as a free tool that
anyone can use. The proof-of-concept seems to work fine. Now I'm
thinking of security considerations. In particular, what input to
lilypond is possible that could have nuisance or destru
#(system 'rm -rf /')
or something like that.
Search the mailist archives on this list and the -devel list for a
discussion. In summary:
1) somebody could wipe out anything that the web interface
software can touch.
3) somebody could read anything that the web interface software
can read.
2) someb
2009/5/18 Alex :
> I'm wanting to run lilypond behind a web interface as a free tool that
> anyone can use. The proof-of-concept seems to work fine. Now I'm
> thinking of security considerations. In particular, what input to
> lilypond is possible that could have nuisance or destructive effect?
>
I'm wanting to run lilypond behind a web interface as a free tool that
anyone can use. The proof-of-concept seems to work fine. Now I'm
thinking of security considerations. In particular, what input to
lilypond is possible that could have nuisance or destructive effect?
lex
__
23 matches
Mail list logo
