Front page | perl.perl6.language |
Postings from May 2001
Re: sandboxing
From:
Dan Sugalski
Date:
May 4, 2001 06:33
Subject:
Re: sandboxing
Message ID:
5.1.0.14.0.20010504091332.0218f110@24.8.96.48
At 12:03 PM 5/4/2001 +0100, Michael G Schwern wrote:
>Sure, Unix has ulimits, ipchains, quotas,
>etc... but what about the DumbOS's and the AncientOS's?
You'll want to be careful of the epithets there. For this stuff the world
is really divided into single-user and multi-user OSes. Unix ranks down at
the bottom of the list in comparison to most of the other multiuser OSes,
both in terms of what limits can be placed and what tracking and accounting
data is collected.
Building a good sandbox with resource limits on a VMS system is trivial. I
expect it may even be easier with IBM's big iron OSes. It's less trivial
with Unix, but not bad. Beats me on WindowsNT, though I'd bet it's up to
the task.
The single-user OSes are more problematic. I don't know that MacOS (before
OS X) provides the info we need but as of System 7.x it didn't. Nor Win9x,
or AmigaOS. (Though for those we can still track memory usage)
>IMHO that should be the indicator of whether Perl needs to provide a
>particular sandbox feature. If we leave it up to the OS, how many
>OS's leave no way (or very difficult ways) to do it. And how
>radically different are the ones which provide it?
Luckily the security sandbox features are all implementable from within
perl. It's the resource limitation ones that are trickier, especially CPU time.
Dan
--------------------------------------"it's like this"-------------------
Dan Sugalski even samurai
dan@sidhe.org have teddy bears and even
teddy bears get drunk