On 23/10/11 18:07, Nikola Smolenski wrote:
It is my understanding that there are three road
blockers on this one:
1) ABC vs Lilypond, and which exact implementation to use. At this point
I assume everyone is so sick of waiting that no one will care what is
used so long as something is used.
Lilypond would provide more flexibility for editors. I originally
thought that ABC would be better for security, but it turns out that
it is full of buffer overflow vulnerabilities, so I'm now recommending
Lilypond without reservations.
[...]
3) And the big one, security. It has not been shown
that any of the
proposed implementations is secure. I was thinking that perhaps a way to
overcome this would be to have a dedicated system just for handling
music rendering. It would work something like this:
a) A dedicated server used only for music rendering. The server runs
several virtual machines with the music rendering software. It only
accepts the notes and returns the images.
b) When the parent server receives a text with the notes, it only passes
it to a free virtual machine. When it receives the images from the
virtual machine, it passes them back to the client.
c) If it doesn't receive the images within a certain time, it shuts down
the virtual machine, starts a new one and returns an error image to the
client.
Is there a hole in this system that would make it possible to hack the
parent server by means of a malicious file?
I think that would be overkill. All we really need is basic resource
limiting (say ulimit.sh plus PoolCounter), and LilyPond should be run
with --jail.
LilyPond has two secure modes: --safe and --jail. Running with --safe
is easy to support but has restricted functionality, which will impact
users. Running with --jail is more complex to set up, but allows
commonly-used macros to be imported.
Ideally music rendering would be split out on to different servers,
using internal api.php requests. This allows cluster-wide LilyPond
resource usage to be limited by limiting the number of servers in the
LilyPond rendering pool. It also simplifies the operations task by
reducing the number of servers that run LilyPond, making both
configuration and monitoring easier.
-- Tim Starling