[Python-Dev] rexec question (original) (raw)

Jeremy Hylton jeremy@zope.com
Mon, 15 Apr 2002 12:58:52 -0400

• Previous message: [Python-Dev] rexec question
• Next message: [Python-Dev] timeoutsocket.py
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"SP" == Samuele Pedroni <pedroni@inf.ethz.ch> writes:

SP> what's the general python-dev opinion about rexec security SP> enforcement?

SP> can it be trusted? it is up e.g. to java security?

No.

There's been no serious maintenance of rexec since work on the Knowbot system stopped, AFAIK. New-style types, e.g., don't have any of the same checks that classic classes have.

There are really two parts to rexec: The basic checks in the interpreter to limit access to certain objects, and the rexec import hooks and related mechanism.

The Bastion object plus basic checks in the interpreter limit access to an object (can't access dict, classes are immutable, etc.) in order to achieve some kind of enforced encapsulation; Java's type system provides this automatically.

Jim Fulton has suggested use proxies to implement security (mislabelled, I think, capabilities):

http://www.zope.org//Wikis/DevSite/Projects/ComponentArchitecture/CapabilityBasedSecurity

I really like this proposal because it takes all the various rexec checks in the interpreter and pushes them out to a proxy object that can implement exactly the checks needed. I'd have more trust in this mechanism, because there is less code to inspect to review the encapsulation mechanism.

Jeremy

• Previous message: [Python-Dev] rexec question
• Next message: [Python-Dev] timeoutsocket.py
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]