[erlang-questions] Stand alone erlang deployment

Jose Castro idiay_tuanis@REDACTED
Thu Nov 12 23:24:53 CET 2009 

Thanks, looked at the thread, and as I understand it there seems to be two issues here. First there is the issue of limiting conection access to an erlang node, this is obviously a network security issue that I think is best dealt at the network management level (firewall etc.). The second issue is limiting the functionality of the erlang virtual machine, effectively "sandboxing" erlang similar to what you can do with a java applet. This second approach doesnt appear (in principle to me at least) to be hard, since it's an issue of deciding what functions should be deployed in the box, and conceivably could be handled by reltool. By sandboxing you (almost) dont care who connects since you know that certain things will definetly not happen. Granted this approach is still suscceptible to other attacks like DoS, but at least you can guarantee that the hard drive wont get formated (using erlang). I'm most probably wrong here, is there a hole in my
 argument/security?

Cheers,

Jose




________________________________
De: Bernard Duggan <bernie@REDACTED>
Para: Jose Castro <idiay_tuanis@REDACTED>
CC: erlang-questions@REDACTED
Enviado: jue,12 noviembre, 2009 15:02
Asunto: Re: [erlang-questions] Stand alone erlang deployment

Jose Castro wrote:
> The issue now is security, with reltool everything works fine, but even on a simple hello world, the reltool deployment allows me to run from the erlang shell something like: os:cmd("whatever!!").
>
> Is there a way to inhibit this behaviour?
    Take a look at the thread last month entitled "A less trusting
Erlang" where this is discussed in great detail.  The very short answer,
however, is "no, not if you want to use the native Erlang communication
system".  You can limit who can connect using cookies, but once
someone's connected you cannot limit what they can do.  If you need it
more secure than that, you'll want to use a system other than the native
Erlang one.

Cheers,

Bernard

________________________________________________________________
erlang-questions mailing list. See http://www.erlang.org/faq.html
erlang-questions (at) erlang.org

More information about the erlang-questions mailing list