Security and net-eval

Started by Jeff, January 31, 2008, 05:42:02 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Jeff

January 31, 2008, 05:42:02 PM Last Edit: December 31, 1969, 04:00:00 PM by Jeff
Is there any built in security for servers responding to net-eval?  It seems like if someone can get behind a firewall the whole game is up and they now have the same access to the net-eval server as the user account running the daemon.



If there is not built-in security, could we implement some (aside from writing my own server)?  Something like a simple one-way encrypted token that is passed as a switch to the daemonizing command?  Then the token would have to be passed in to net-eval.
Jeff

=====

Old programmers don\'t die. They just parse on...



http://artfulcode.net\">Artful code

ale870

#1
February 07, 2008, 07:11:41 AM Last Edit: December 31, 1969, 04:00:00 PM by ale870
I think this is a good point. Even if I'm behind a firewall, I need to implement a security system to protect newLisp from the attacks that could come from behind the firewall (a.k.a. from inside the company self!).



Some hints:



1) It could be interesting if I could write a function that will be called EVERYTIME a net-eval arrives in the running server. In this way I could create a script to check incoming requests.



2) Creating an IP black list (similar to ALLOW and DENY inside Apache).



3) A system with a key (or username/password) to detect if a request is valid (or with something like a token).



4) ... and https? :-)
--

Jeff

#2
February 07, 2008, 07:14:44 AM Last Edit: December 31, 1969, 04:00:00 PM by Jeff
The easiest way would be to mimic erlang.  The erlang shell has a command-line option to specify a token either directly or from a file.  That token is then the key to evaluate code remotely in that instance.  Any connection would require passing that token to even connect.
Jeff

=====

Old programmers don\'t die. They just parse on...



http://artfulcode.net\">Artful code

ale870

#3
February 07, 2008, 08:14:57 AM Last Edit: December 31, 1969, 04:00:00 PM by ale870
Jeff, I don't t know erlang. So just to understand, that token would be something like a Session ID?
--

Jeff

#4
February 07, 2008, 08:31:48 AM Last Edit: December 31, 1969, 04:00:00 PM by Jeff
The token is just a string you pass to the interpreter as a password.  It is then used to validate the server's clients.  However, since this is done over http, I don't know that there is a secure way of transmitting it.
Jeff

=====

Old programmers don\'t die. They just parse on...



http://artfulcode.net\">Artful code

ale870

#5
February 07, 2008, 08:58:31 AM Last Edit: December 31, 1969, 04:00:00 PM by ale870
Sometimes ago I found a very good article by Carl Sassenrath how to create a secure system to validate a user, without transmitting it over web:



http://www.rebol.net/cookbook/recipes/0019.html">http://www.rebol.net/cookbook/recipes/0019.html



This could be a great way to validate a client without expose client password ;-)
--
Print
Go Up Pages1
User actions