[Python-Dev] Re: Capabilities (original) (raw)

Guido van Rossum guido@python.org
Sun, 09 Mar 2003 20:08:20 -0500

[Zooko]

> 2. Mandatory private data (accessible only by the object itself). > Normal Python doesn't have mandatory private data. If I > understand correctly, both rexec and proxies (attempt to) provide > this. They also attempt to provide another safety feature: a > wrapper around the standard library and builtins that turns off > access to dangerous features according to an overridable security > policy.

[Zooko, responding to himself]

Perhaps it is that "restricted execution" is designed to provide private data, by disabling certain introspection features, and "rexec" and "proxies" are designed to provide the wrapper feature?

Not really. Restricted execution doesn't provide private data in general: all instance variables of all user-defined classes are accessible to restricted code. However, restricted execution prevents introspection paths that can lead from a function or bound method to its globals or object, respectively, thereby effectively turning functions and bound methods into capabilities.

Security proxies can be used to enforce private data, however.

The "rexec" module is used to wrap the standard library. Its approach is the following, implemented by overriding import:

It also wraps open() and a few other built-ins.

--Guido van Rossum (home page: http://www.python.org/~guido/)