[Haskell-cafe] ghci in gallery

Tobias Florek haskell at ibotty.net
Thu Feb 13 09:01:32 UTC 2014


hi,

>    The process is run with user 'nobody', so hopefully that will be a
> bit safer, i.e.

a bit, yes. apart from breaking out of the account (and becoming root)
via os vulnerabilities the user can send any network traffic they like,
which might or might not be ok. also there might be any number of
important processes running for user nobody. you better use a dedicated
user for running ghci. that might also allow you to sandbox the account
easier (firewall and dac's/mac's, etc. i don't know what's available on
mac os x).

you might also like to look into SafeHaskell to restrict what users can do.

good luck,
 tobias florek





More information about the Haskell-Cafe mailing list