TIBCO® Enterprise Runtime for R Service Installation and Administration

Safeguarding your environment

This custom property setting helps minimize the risk of malicious acts in your environment.

Configuration property Default setting Description
disable.spotfire.trust.checks FALSE

By default, TERR service checks whether a data function has come from a trusted source.

Set to TRUE to not check for the data function trust status of any data function run on TERR service.
Warning: Setting this value to TRUE results in all Spotfire data functions executing unrestricted. We strongly recommend that you ensure that your service is fully secured, that engine containers are enabled, and that network access from the containers is limited (using a firewall) to only necessary servers and ports.

For more information about script and data function trust, see the TIBCO Spotfire® Analyst User's Guide and TIBCO Spotfire® Administration Manager User's Guide.

terr.restricted.execution.mode TRUE This setting causes each expression sent to the TERR engine, running in the TERR service, to be evaluated by the function terrUtils::evalREX as to whether it is a restricted operation. Restricted execution mode allows executing arbitrary scripts without worrying that the script could do malicious things, such as deleting files or uploading confidential data to a server over the internet. evalREX is fairly conservative, preventing many operations, while still allowing some useful exceptions. The following shows a non-exhaustive list of operations disallowed in restricted execution mode.

If such an evaluation is attempted, TERR generates an error, such as "Error: restricted call to Native[tempfile]", and execution of the expression is terminated.

  • Calling the restricted TERR™ function evalREX itself.
  • Performing any I/O to the file system or the internet.
  • Loading new packages, except for the libraries included with TERR™ (stats, terrUtils, and so on).
  • Spawning new operating system processes (that is, calling system).
  • Calling .Call, used to call Rapi code in CRAN packages.
  • Calling .C or .Fortran.
  • Calling into Java using the terrJava package (which allows executing arbitrary Java methods).
  • Calling any functions in the parallel package (which uses terrJava).
  • Accessing any function environments in the stack above the call to evalREX using either sys.frame or parent.frame. This prevents malicious code from installing functions or expressions that could be executed after leaving restricted execution mode.
  • Changing the variable lookup path by setting parent.env of an environment, or reading or setting the environment of a closure.
  • Defining S4 classes and methods using setClass or setMethod.

If you need to use any part of the above functionality as part of your TERR service deployment, then you can set terr.restricted.execution.mode=FALSE. If you change this setting, be sure to review your deployment for additional steps you can take to ensure against malicious acts. See Limiting exposure of your deployment for more information.

For more information about terrUtils::evalREX, see its help file in the TIBCO® Enterprise Runtime for R Language Reference.