[Python-Dev] new security doc using object-capabilities (original) (raw)
Giovanni Bajo rasky at develer.com
Thu Jul 20 13:40:06 CEST 2006
- Previous message: [Python-Dev] new security doc using object-capabilities
- Next message: [Python-Dev] logging module broken because of locale
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Nick Maclaren wrote:
This recipe for safeeval: http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/496746 which is otherwise very cute, does not handle this case as well: it tries to catch and interrupt long-running operations through a secondary thread, but fails on a single long operation because the GIL is not released and the alarm thread does not get its chance to run. Grin :-) You have put your finger on the Great Myth of such virtualisations, which applies to the system-level ones and even to the hardware-level ones. In practice, there is always some request that a sandbox can make to the hypervisor that can lock out or otherwise affect other sandboxes. The key is, of course, to admit that and to specify what is and is not properly virtualised, so that the consequences can at least be analysed.
I agree, and in fact Brett's work on a proper security model is greatly welcome. It's just that us mere mortals need to use eval() now, and that recipe is good enough for many practice uses. If you can't win, you can at least lose with dignity :)
Giovanni Bajo
- Previous message: [Python-Dev] new security doc using object-capabilities
- Next message: [Python-Dev] logging module broken because of locale
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]