[erlang-questions] Sandbox for Erlang emulator

Kirill Zaborski <>
Sun Dec 3 16:58:51 CET 2006


The idea is to make some public webserver "Erlang Playground"  where anybody
can run Erlang code without crashing the system (i.e. limited or maybe no
file acces at all, no access to "system" erlang functions which can make
emulator unstable). So VMWare and file acces rights are not the right ways
because some source code "filtering" should be done. So I'll check what
could be done in Erlhive.

Thanks

On 12/3/06, Ulf Wiger <> wrote:
>
> Den 2006-12-03 15:05:06 skrev Kirill Zaborski <>:
>
> > What do you think is the best way to implement a sandbox
> > for Erlang emulator?
>
> I'd say that depends on what you want to do, more specifically.
>
> > Actually I want to restrict access to the file system,
> > network (and maybe something else) from the code running
> > inside the emulator. Is Erlhive a suitable tool for it?
>
> Erlhive doesn't restrict the emulator, but rather restricts
> what you can do in your programs. Currently, it also carries
> the overhead of mnesia transactions. The code transformation
> could probably be separated, but that hasn't been done yet.
>
> Without knowing more, it's difficult to say whether Erlhive
> would be a good choice. It assumes some kind of authenticating
> front-end (the example code is Yaws-based). Erlhive ought to
> be a suitable sandbox for a data driven web application.
>
> > The only other way I see to do this is to run the emulator
> > under the user with minimal privileges.
> > Any other ideas?
>
> You could run a VMWare appliance - e.g. an Ubuntu image with
> erlang installed. This would give you a sandbox without
> limiting what can be done in the Erlang/OTP environment.
> It will carry some overhead, though.
>
> BR,
> Ulf Wiger
> --
> Ulf Wiger
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20061203/8ca760c2/attachment.html>


More information about the erlang-questions mailing list