Return-Path: X-Original-To: apmail-couchdb-dev-archive@www.apache.org Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 286F3EEC0 for ; Mon, 4 Feb 2013 10:54:15 +0000 (UTC) Received: (qmail 972 invoked by uid 500); 4 Feb 2013 10:54:14 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 920 invoked by uid 500); 4 Feb 2013 10:54:13 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 889 invoked by uid 99); 4 Feb 2013 10:54:13 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Feb 2013 10:54:13 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of bchesneau@gmail.com designates 209.85.210.175 as permitted sender) Received: from [209.85.210.175] (HELO mail-ia0-f175.google.com) (209.85.210.175) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Feb 2013 10:54:08 +0000 Received: by mail-ia0-f175.google.com with SMTP id r4so7961865iaj.34 for ; Mon, 04 Feb 2013 02:53:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type:content-transfer-encoding; bh=c00Equ+lDm4D5wQ7WhuRXfSR5PJ2R0Im7unfBFtjpQU=; b=tD5z6jmmXoAaWSF3h8OvxRqqODm5pucpcUrXo7q6nHWetXeOyuODo7dQybA1cWCYoT Q9sspXaAzPIzCa0WpjMMY9W2B7wG/OJ3y/EQV0syQE5WoS/jHZeywRYoGN6CJOj0u8YL S2F2XEHkdkyFNBVyDgp6wCoH6khafuibPmIOD7wAadCcpL1eIsUC3+B0un8jHdA7Q1Mc 9Aepvh2HH3lI1S4cF1XCbJmxPx/HoAWbb9OkrJakZWSjL5U2zv4uY7vFl9OOCqz6YaKr h5wcFCDuDTzJgd2+SfdIMejQKYIO6s39cZHgfSSUIrGCaoa+CBAGFV94P8s+fAyTlm1r s3RA== MIME-Version: 1.0 X-Received: by 10.50.155.134 with SMTP id vw6mr5624461igb.34.1359975228095; Mon, 04 Feb 2013 02:53:48 -0800 (PST) Received: by 10.64.29.13 with HTTP; Mon, 4 Feb 2013 02:53:47 -0800 (PST) In-Reply-To: References: <5102B439.10500@lymegreen.co.uk> <91019D9B-A6AE-4311-9C11-E6001D57293A@apache.org> Date: Mon, 4 Feb 2013 11:53:47 +0100 Message-ID: Subject: Re: Branch to switch from SpiderMonkey to Node.js From: Benoit Chesneau To: "dev@couchdb.apache.org" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org On Thu, Jan 31, 2013 at 5:54 PM, Jason Smith wrote: > > On Thu, Jan 31, 2013 at 4:34 PM, Benoit Chesneau wro= te: > > > > > A javascript engine doesn't expose any IO par default. The **framework*= * > > nodejs is, this is all the point. I'm quite interested by the existing > > solutions to sandbox nodejs, do you know some projects that does it? > > > > Correct. I am attempting to build something which satisfies your > description: no i/o; i/o is not even possible. > > *How* is it implemented? Well, it doesn't matter whether we use Node.js o= r > couchjs/SM or couchjs/v8. What matters is we feel confident about securit= y. > And of course, I agree, if we cannot achieve good security, then that is = a > show stopper. > > Here is my current plan for sandboxing CouchJS. (Thanks to Isaac for his > tips.) > > When it is time to evaluate some code: > > 1. Set up an object with safe variable bindings: safe_context > 2. fork() > 3. Child process runs vm.runInNewContext(safe_context) > 4. Child process communicates to the parent over stdio, through the > approved safe_context functions > > The subprocess can also give extra sandboxing, such as chroot() if > available. > > Yes, this causes two processes per instantiation; however I think the > parent might only be short-lived, setting up the security, then exiting. > The grandchild can talk to Erlang over stdio. > > That is my plan. No idea how well it will work. > > -- > Iris Couch Too much kool-aid imo :) This is not that it can't work. But are you seriously considering to have a main couchjs process maintaining the STDIO channel and spawn a new OS Process for a view (which what does `vm.runInNewContext`)? The memory and latency cost can became very important, and i don't count the chrooting cost especially if run this context on each indexation batch or shows, lists and views requests. + the extra fds created by each child contexts. Anyway, I looked over the week-end and didn't find so may other solutions when it's about nodejs. I read that and maybe ` vm.runInContext` [1] with `vm.CreateContext` could work or like Klaus says maybe `vm.CreateScript` though the doc[1] don't say if it s in the same process or not [2]. I guess it is. I'm interested by the solution of providing a secure "require" like suggest Klaus. How would it work? I intend to write a straight-forward port of couchjs to use v8 to see how much things it gave us, but it will be just a temporary hac, just good for 1.4 imo. I also would like to find a solution for the mobile worl and i'm not sure v8 is OK for that yet. Just some thoughts, it's cool to see such activity on this topic :) - beno=EEt [1] http://nodejs.org/api/vm.html#vm_vm_createcontext_initsandbox [2] http://nodejs.org/api/vm.html#vm_vm_createscript_code_filename [3] http://nodejs.org/api/vm.html#vm_sandboxes