Return-Path: 
 <dev-return-29678-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org>
X-Original-To: apmail-couchdb-dev-archive@www.apache.org
Delivered-To: apmail-couchdb-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 3B7A210626
	for <apmail-couchdb-dev-archive@www.apache.org>;
 Wed, 16 Oct 2013 21:44:23 +0000 (UTC)
Received: (qmail 86585 invoked by uid 500); 16 Oct 2013 21:44:15 -0000
Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org
Received: (qmail 86506 invoked by uid 500); 16 Oct 2013 21:44:08 -0000
Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@couchdb.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@couchdb.apache.org>
List-Post: <mailto:dev@couchdb.apache.org>
List-Id: <dev.couchdb.apache.org>
Reply-To: dev@couchdb.apache.org
Delivered-To: mailing list dev@couchdb.apache.org
Received: (qmail 86481 invoked by uid 99); 16 Oct 2013 21:44:07 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 16 Oct 2013 21:44:07 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy includes SPF record at
 spf.trusted-forwarder.org)
Received: from [209.85.215.169] (HELO mail-ea0-f169.google.com)
 (209.85.215.169)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 16 Oct 2013 21:44:01 +0000
Received: by mail-ea0-f169.google.com with SMTP id k11so666037eaj.0
        for <dev@couchdb.apache.org>; Wed, 16 Oct 2013 14:43:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:content-type:mime-version:subject:from
         :in-reply-to:date:content-transfer-encoding:message-id:references:to;
        bh=SkcikRNX9H/cLQOeNBED4L2+WNveRYmtp3D6xgZ+2wM=;
        b=ECPfT3VMskEgw6ShYND1Q3mfEkfkLvf3Xxa8LcUA6Jl8x1UX0mOQDBRb8mYLnGGkLX
         yb8hJ/GtsfpdxTN3nC4vEtwwhLfDXZOD9HbOiwM5UJy5HzKXrcXac3wFOS2lhubJltfS
         A3pX3Kb3BNXRfSoQEsS03SG5pSvfwjiOacW/NwZPzPIioUZMJyO1EtBfID86Tm4xXksG
         OIKqbfl20ZBRHrjCwxRGcURGUchzGmbUCv2MhNaiiMz1avqDxZJAo77I74ZPsoTJk5nO
         6i3AWU4F1Kp57O5+HbFrRqh5KXTC+EIEfv1LjF/gqk5846pFwCaDWIPeW3Q6nY+DYzrg
         J1Uw==
X-Gm-Message-State: 
 ALoCoQnNFcMGmfHBoVhYsBWnihiE5H+4Mlqg6sSzXQlG2S3nknQXVGRlq1WZBdtwRz5h/zAdhtsM
X-Received: by 10.14.104.5 with SMTP id h5mr7251115eeg.58.1381959820126;
        Wed, 16 Oct 2013 14:43:40 -0700 (PDT)
Received: from [192.168.2.112] ([77.72.35.178])
        by mx.google.com with ESMTPSA id
 a1sm184387947eem.1.1969.12.31.16.00.00
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Wed, 16 Oct 2013 14:43:39 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Apple Message framework v1283)
Subject: Re: Elixir Sandbox
From: Filippo Fadda <filippo.fadda@programmazione.it>
In-Reply-To: 
 <CAHdjip+=6KyxcRNtvUY5ZiRnsbTi9SaTKJmjWqSBg1xosU6c6w@mail.gmail.com>
Date: Wed, 16 Oct 2013 23:43:38 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <CE36AD4A-BB43-47F0-A78A-B4C80307C996@programmazione.it>
References: <980F839E3DB1465287B1FFE3FF665DEB@chriskeele.com>
 <CAJ_m3YCH_1+3EqZnBVCo1sN8Vffuh1JhgCgkLW=4SsXL1Uiqiw@mail.gmail.com>
 <B24D1215-ED30-4720-9523-0B6E40352EEA@apache.org>
 <878ABCFE-A3E9-4FA8-84F7-C58729570834@programmazione.it>
 <CAHdjip+=6KyxcRNtvUY5ZiRnsbTi9SaTKJmjWqSBg1xosU6c6w@mail.gmail.com>
To: dev@couchdb.apache.org
X-Mailer: Apple Mail (2.1283)
X-Virus-Checked: Checked by ClamAV on apache.org

Sandboxing is useful when you are running applications, in a defined =
environment (like an OS), you can't trust, not libraries, but =
applications.  For example in iOS all the apps are sandboxed, not the =
system libraries. But no one can't run an application inside CouchDB if =
CouchDB can't be accessed from outside. You can't do the equivalent of =
SQL injection in CouchDB using CouchDB as simple DBMS. An user can't =
insert a ddoc in it if you can connect to CouchDB just from the =
localhost and you don't know the admin's username and pass.
The only person able to write ddocs is the application developer, and =
I'm pretty sure he won't delete the root directory in a map function. =
When used as a pure database, CouchDB is not an environment, it's a =
database, something to store documents, using a client. CouchDB used to =
run Couch apps instead is an environment, it acts like an OS in which =
the applications run. In this case, maybe, you need a sandbox.
I mean, the only needs I see for sandboxing here is when you have a =
company selling CouchDB as a service, and running any kind of third part =
applications, or as I said, when you are using CouchDB as the =
environment in which the couch apps run.
I'm not saying sandboxing is useless, I'm saying is something optional a =
sys admin should enable in case of need.

-Filippo

On Oct 16, 2013, at 11:03 PM, Alexander Shorin wrote:

> Because you are running your code and you trust yourself (I hope so).
> Another user may not trust you or your code, so he have to inspect
> every bit of your code to make sure that it wouldn't make a big
> security hole in his server. Having sandboxing feature guarantees him
> that he may run third party code with no worries about.
>=20
> --
> ,,,^..^,,,