WHIZARD Web services

[Christian Speckner]

For improved security, i.e. in environments where WHIZARD runs SINDARIN supplied by users without shell access, it is desireable to deactivate the execution of external programs. I suggest implementing a security command line flag which deactivates exec (and maybe other functionality) on requrest, the default of which could be modified at configure time. If noone objects, I would implement this.

[kilian]

Yes, agreed. I would even turn the logic around:

WHIZARD maintains a list of allowed programs, which is checked against the argument of the 'exec' command (which should execute one program at a time). The list is given to WHIZARD on the command line (analogous to --user-lib; the array can reside in the 'global' record of rt_data_t). Furthermore, if the user doesn't want to give fully qualified paths as programs names, he has to provide the search path explicitly, also on the command line. Otherwise, the 'exec' command uses an empty search path for the spawned shell.

The idea is that the 'exec' feature should be used sparingly. The Sindarin file, by itself, should not be able to raise privileges.

[Juergen Reuter]

As long as this does not apply for the internal programs like O'Mega, Gamelan etc. I am fine with that. But I think this is not top priority right now.

[Juergen Reuter]

We should discuss this once again. How it is ranked, what is intended, and who is going to do it when!

[Juergen Reuter]

Okay, I believe this ticket will never be addressed....

[Juergen Reuter]

Seriously!? Don't we want to close this ticket!? Guys????

[Juergen Reuter]

THis includes: Disable exec functionality at configure / runtime.

[Juergen Reuter]

Should we set up a WHIZARD web server, we should remember to take care of exec traps.

[Juergen Reuter]

Should we actually bury this project, or does anyone think this will ever happen?

[Juergen Reuter]

Milestone renamed

[Juergen Reuter]

Transferred to Gitlab issue 339.