tags:

views:

67

answers:

1
+2  Q: 

Running DLR Embedded Scripts in Minimum Security Context

I need to get pointed in the right direction. I have embedded an Iron Python scripting host into a simple C# application, but now I need to know the best practices for locking down security on a user generated IronPython or IronRuby script.

Specifically, what are the strategies for preventing library imports and isn't there a way in .NET to run a block of code or a thread in a different security context, for instance to prevent file system access? Also, can this context be assigned a built-in level or role rather than an actual user?

Thanks!

+3  A: 

You should run scripting host in different appdomain, and setup Security Policies via Evidence property using sandboxing API

Sergey Mirvoda  2010-02-28 14:52:55
Sergey, Would that prevent an IronPython open('c:\\file.txt') call?
Josh Pearce  2010-02-28 18:36:56
not sure about Python, but if it opens file using System.IO namespace definitely yes.
Sergey Mirvoda  2010-02-28 21:16:42
I guess you're an IronRuby guy. Would a locked down AppDomain prevent ruby's native file methods from working?
Josh Pearce  2010-03-01 00:40:16
Of course! remember that IronRuby's native file methods are eventually System.IO operations.
Shay Friedman  2010-03-01 05:24:10

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?