Limit loaded lua modules

[christiaan]

In the construct of the Lua class the following is called
luaL_openlibs(L);

This loads all available lua libs. I want to be able to not load the OS and IO lib because I'm trying to create a secure sandbox to run third party code that should not be able to access anything else than the PHP methods I expose.

Could you create a way to limit the Lua modules to load?

[krixon]

You can achieve the same result by nulling the variable containing the library via assign().

$lua->assign('os', null);

[christiaan]

Isn't it still available trough other means? Like the loaded libs.
I remember dumping the global var G after nulling those variables and there were still ways to reach it.

[hjanuschka]

would any ini option like lua.load_std_libs fit your needs?
defaulting to true and loading the libs - when set to false skip the luaL_openlibs(L) call?

[christiaan]

Apparently it is not all that simple as this after reading up on Lua Sandboxes.
However everything can be solved from within Lua either by setfenv or the trick described here for lua 5.2

It might be worth having a section about sand-boxing in the docs somewhere. As I imagine most people want to use it for that purpose in PHP.