open == file considered harmful (Re: [Python-Dev] RE: rexec.pyunuseable) (original) (raw)

Guido van Rossum guido at python.org
Wed Dec 17 19:12:09 EST 2003

• Previous message: open == file considered harmful (Re: [Python-Dev] RE: rexec.pyunuseable)
• Next message: open == file considered harmful (Re: [Python-Dev] RE: rexec.pyunuseable)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It would be a lot better if we could get away from the idea of a "restricted mode" in the sense of a flag somewhere that a bunch of things have to take notice of in order to behave securely, because that model of security is prone to springing leaks -- as happened in a big way when new-style classes were introduced.

Right. Restricted mode currently uses both paradigms: you only have access to the builtins that are given to you in the builtins dict -- this is pure capability stuff, and IMO it works well -- and some builtin operations behave differently when you're in restricted mode -- this is the ACL stuff, and Samuele revealed serious holes in it.

The spirit behind my suggestion was to start thinking about ways in which functionality could be separated out so that this kind of special-casing for security purposes isn't needed.

Right.

--Guido van Rossum (home page: http://www.python.org/~guido/)

• Previous message: open == file considered harmful (Re: [Python-Dev] RE: rexec.pyunuseable)
• Next message: open == file considered harmful (Re: [Python-Dev] RE: rexec.pyunuseable)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list