Perl 6 - the future is here, just unevenly distributed

IRC log for #webwork, 2012-08-10

| Channels | #webwork index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
02:43 yoavfreund joined #webwork
02:45 yoavfreund left #webwork
02:45 yoavfreund joined #webwork
02:46 yoavfreund left #webwork
02:47 yoavfreund joined #webwork
02:47 yoavfreund left #webwork
13:12 djun joined #webwork
14:25 djun joined #webwork
15:00 aubreyja joined #webwork
15:07 djun Hey Jason
15:07 djun I see you got AskSage working - great!
15:29 djun did it turn out to be a Safe issue? How did you work around?
17:39 djun joined #webwork
18:24 aubreyja Hi Djun - yep, totally different approach than before, but it worked. Mainly I added a new function to PG::WeBWorK::IO and shared it with the safe compartment in Translator.pm.  Had to allow some new functions in the safe compartment, but not as many as before
18:25 djun Good stuff! Looking forward to checking it out
18:40 aubreyja Sorry - bouncing back and forth between stuff. I'll push it in just a bit and let you know
18:51 aubreyja Hi djun - just pushed my ask_sage branch to aubreyja/pg-dev
19:06 djun hi jason - great, thanks!
19:20 aubreyja So, I'd like to think carefully about the security implications of this as we move it along
19:22 aubreyja Right now I have in mind: (1) should we restrict at the admin level which services problem authors can query (e.g. allowed services would be recorded in the admin course by the site administrator) and (2) Can we do this in a way that requires allowing fewer new functions into the safe compartment - in particular I'd like to eliminate allowing 'require'
19:48 djun does restricting require buy you anything? I.e, can I require something that wasn't previously blocked by Safe?
19:50 aubreyja The idea behind safe is that you can in a very granular way block any perl functions from being used.  So https://github.com/aubreyja/pg-dev/compare/ask_sage
19:51 djun I don't understand the global architecture well enough yet.  Is there more than one Safe compartment? Is the Safe compartment defined only for problem evaluation?  Is it defined when Apache starts, or when the page is rendered?  If the later, perhaps there could be different Safe configurations, depending on the problem...
19:51 aubreyja about line 359 I permit the perl functions require, caller, fileno, and unpack where previously they were "masked" by line 357
19:53 aubreyja I'm just beginning to understand it myself; I believe that each time a problem is translated a safe compartment is created for it - that is, every time a problem is accessed it gets its own safe compartment.
19:53 mgage hi guys -- this is true.
19:53 aubreyja Hi Mike
19:54 mgage The safe compartment is created in PG.pm or PG/Local.pm
19:54 mgage I suspect adding require is pretty dangerous.  For example, can I require a file that would allow me to read the password directory?
19:54 aubreyja I'm looking at Translator.pm - the constructor seems to create it there
19:55 mgage that could be also -- that's just a bit further down the chain.
19:55 aubreyja Well, even if you have require, you still need to be able to do the operations that would be needed to read the file
19:55 mgage Safe does two things -- restrict the ops and also restrict access to namespaces
19:55 aubreyja So, for example, even after I allowed require, I still needed to allow the other three in order for it to work
19:55 aubreyja (caller, fileno, and unpack)
19:56 mgage that's true -- but for example can you require the password file? what does that allow.
19:57 aubreyja Right - not sure - I think the others are fairly safe, but I would like to eliminate require because it does seem dangerous even if I can't come up with an example :)
19:57 mgage it's worth experimenting but eval, print, require were among those which perl recommended not be allowed in a Safe compartment because they have access to outside resources  -- at the time I took their word for it
19:57 aubreyja Luckily, HTTP::Tiny is pretty small, so I think I can figure out where it's being used and maybe find a work around
19:58 mgage we have allowed eval by hiding it behind PG_restricted_eval -- on the grounds that we can retroactively build safety into the function if necessary
19:58 aubreyja Ah, that's interesting - how does that make eval safer?
19:58 mgage so far we haven't found a problem -- if the eval script contains a an illegal op then the illegal op is blocked.
19:59 mgage it doesn't really -- except that if we do find a vulnerability we won't have to check every use of eval -- we only check have to put security restrictions into PG_rstricted_eval
19:59 aubreyja ah, so, I could only allow requires maybe for the IO modules used by HTTP::Tiny…?
20:00 aubreyja where is that defined? PGcore?
20:00 mgage perhaps.  -- or you could force those requires to occur at compile time -- that is essentially what Darwyn did for PDL by putting all the dependent modules into default.config (or localOverride.conf)
20:01 mgage PG_restricted eval is probably defined inPGbasicmacros.pl  but it might be in PGcore now
20:01 aubreyja Ah, see, I put HTTP::Tiny in defaults.config too, but this was still needed. Maybe I can throw in the IO modules too to get around it
20:02 mgage actually no -- it has to be defined somewhere outside of safe and then shared with it -- find the share module space in Translator or Local.pm
20:02 mgage that's likely -- the idea is that .pm files are not evaluated under Safe and if all of the requires get done at startup before the Safe compartment is created eveything is ok
20:02 aubreyja right -  I defined it in IO.pm and then shared it using Safe::Hole in Translator.pm
20:03 mgage since .pm files can't be modified from the web they are allowed more freedom.
20:07 djun i guess the behaviour of require is constrained by the @INC array, or?
20:11 mgage no  -- you can give it any path
20:21 aubreyja I've got to run home and clean up for a house showing - I'll be back on later
20:22 aubreyja Yes, btw, I guess you could do require '/root/all of the secrets/'
20:22 aubreyja who knows what would happen if people started playing around with this
20:22 aubreyja so, I'll start playing around with this :)
20:23 djun i just tried a 'require "/etc/passwd" :)
20:23 mgage fair enough :-) -- it will make it more secure in the long run -- I've got to head off to the store too to get stuff for the trip tomorrow
20:23 mgage what happened?
20:23 aubreyja yeah, what happened?
20:24 djun got a bunch of syntax errors, but enough information leakage to be useful, perhaps
20:24 mgage require and do are essentially evals of a given file
20:24 aubreyja interesting - I'll have to try this out…ttyl
20:24 djun ttyl
20:25 mgage see if there is a way to use PG_restricted_eval to get this information as well
20:25 djun I'll have a look at this later.  i'm just running out the door to get some coffee with my sister.
20:25 aubreyja that's a good idea - there might be a way to use it to replace the require.
20:25 aubreyja left #webwork
20:25 djun agreed that it's important to sort this out :)
20:26 mgage it also might be that we have been living dangeroualy wiht PG_restricted_eval
20:37 djun joined #webwork
21:09 djun joined #webwork
23:23 aubreyja joined #webwork
23:23 aubreyja joined #webwork
23:45 aubreyja joined #webwork
23:45 aubreyja joined #webwork

| Channels | #webwork index | Today | | Search | Google Search | Plain-Text | summary