Re: [Gretl-users] 'store' issues
Riccardo (Jack) Lucchetti schrieb:
On Mon, December 18, 2006 04:00, Allin Cottrell wrote:
>> May I repeat the question about the (im)possibility of shell
>> escapes ('!') in functions? Then one could call any external
>> engine one likes and provide a nice gretl function package
>> interface for others (and oneself). For example it may also be
>> nice to plug in some R routines in this way.
> I see your point. My concern is to ensure that gretl doesn't
> become a vector for malware. Maybe this is paranoid, but paranoia
> seems reasonable given the current state of the internet. Anyone
> else have thoughts on this?
I agree with Sven. Being multi-platform is a big asset here. Even if someone
may conceivably inbed a line like
!sudo rm -rf /
in a script, I'm sure windows users will notice that the script isn't working
for some obscure reason and the above cunning stratagem will be rather
short-lived.
Thanks Jack, although I'm not completely sure that your optimism is
warranted...
Two thoughts: First, gui-gretl's design is good in that the user needs
to specifically allow shell commands in the preferences. Also, for
function packages one could tell authors that the function needs to
print a warning at the end if it made use of shell commands. Something
like: "Don't forget to disable shell commands again in your preferences
for security reasons." Of course, one would also have to think of how to
secure the function package repository against unwanted alterations.
(What's the current state there?) But in the end I think it's reasonably
safe.
Secondly, Allin's point made me think about command-line gretl. I mean
shell commands are allowed in normal scripts, so what security exists
when a script is executed? Is there a switch like the one in the
gui-preferences?
thanks,
sven