[Python-Dev] object capability; func_closure; subclasses (original) (raw)

tav tav at espians.com
Thu Jun 28 03:04:42 CEST 2007

rehi all,

I have been looking at the object capability + Python discussions for a while now, and was wondering what the use cases for object.__subclasses__ and FunctionType.func_closure were?

I don't see subclasses used anywhere in the standard library. And whilst I can see exposing func_closure as being useful in terms of "cloning/modifying" an existing function, isn't it possible to do that without making it introspectable?

Years ago, Ka-Ping Yee pointed out:

http://mail.python.org/pipermail/python-dev/2003-March/034284.html

Derived from this we get:

capability.py functions

def Namespace(*args, **kwargs):

for arg in args:
    kwargs[arg.__name__] = arg

def get(key):
    return kwargs.get(key)

return get

class Getter(object):

def __init__(self, getter):
    self.getter = getter

def __repr__(self):
    return self.getter('__repr__') or object.__repr__(self)

def __getattr__(self, attr):
    return self.getter(attr)

io.py module

def FileReader(name):

file = open(name, 'r')

def __repr__():
    return '<FileReader: %r>' % name

def read(bufsize=-1):
    return file.read(bufsize)

def close():
    return file.close()

return Getter(Namespace(__repr__, read, close))

Now, a process A -- which has full access to all objects -- can do:

motd = FileReader('/etc/motd')

And pass it to "process B" operating in a limited scope, which can then call:

motd.read() motd.close()

But not:

motd = type(motd)(motd.name, 'w')

which would have been possible had motd been created as a file type by calling: open('/etc/motd', 'r').

Now, there are probably a million holes in this approach, but as long as process B's import is sanitised and it operates in a "limited" scope with regards to references to other functionality, this seems to be relatively secure.

However, this is where subclasses and func_closure get in the way.

With object.subclasses (as Brett points out), all defined classes/types are available -- including the file type we were trying to deny process B access to! Is it necessary to expose this attribute publically?

And, likewise with func_closure, one can do motd.read.func_closure[0].cell_contents and get hold of the original file object. Is it absolutely necessary to expose func_closure in this way?

Now, whilst probably wrong, I can see myself being able to create a minimal object capability system in pure python if those 2 "features" disappeared. Am I missing something obvious that prevents me from doing that?

Can we get rid of them for Python 2.6? Or even 2.5.2? Is anyone besides PJE actually using them? ;p

Thanks in advance for your thoughts.

-- love, tav founder and ceo, esp metanational llp

plex:espians/tav | tav at espians.com | +44 (0) 7809 569 369

More information about the Python-Dev mailing list