Is there any built in security for servers responding to net-eval? It seems like if someone can get behind a firewall the whole game is up and they now have the same access to the net-eval server as the user account running the daemon.
If there is not built-in security, could we implement some (aside from writing my own server)? Something like a simple one-way encrypted token that is passed as a switch to the daemonizing command? Then the token would have to be passed in to net-eval.
I think this is a good point. Even if I'm behind a firewall, I need to implement a security system to protect newLisp from the attacks that could come from behind the firewall (a.k.a. from inside the company self!).
Some hints:
1) It could be interesting if I could write a function that will be called EVERYTIME a net-eval arrives in the running server. In this way I could create a script to check incoming requests.
2) Creating an IP black list (similar to ALLOW and DENY inside Apache).
3) A system with a key (or username/password) to detect if a request is valid (or with something like a token).
4) ... and https? :-)
The easiest way would be to mimic erlang. The erlang shell has a command-line option to specify a token either directly or from a file. That token is then the key to evaluate code remotely in that instance. Any connection would require passing that token to even connect.
Jeff, I don't t know erlang. So just to understand, that token would be something like a Session ID?
The token is just a string you pass to the interpreter as a password. It is then used to validate the server's clients. However, since this is done over http, I don't know that there is a secure way of transmitting it.
Sometimes ago I found a very good article by Carl Sassenrath how to create a secure system to validate a user, without transmitting it over web:
http://www.rebol.net/cookbook/recipes/0019.html
This could be a great way to validate a client without expose client password ;-)