open == file considered harmful (Re: [Python-Dev] RE: rexec.pyunuseable) (original) (raw)
Nick Coghlan ncoghlan at iinet.net.au
Thu Dec 18 05:58:42 EST 2003
- Previous message: open == file considered harmful (Re: [Python-Dev] RE: rexec.pyunuseable)
- Next message: open == file considered harmful (Re: [Python-Dev] RE: rexec.pyunuseable)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Guido van Rossum wrote:
It would be a lot better if we could get away from the idea of a "restricted mode" in the sense of a flag somewhere that a bunch of things have to take notice of in order to behave securely, because that model of security is prone to springing leaks -- as happened in a big way when new-style classes were introduced.
Right. Restricted mode currently uses both paradigms: you only have access to the builtins that are given to you in the builtins dict -- this is pure capability stuff, and IMO it works well -- and some builtin operations behave differently when you're in restricted mode -- this is the ACL stuff, and Samuele revealed serious holes in it.
What if instead of 'builtin behaves differently in restricted mode' we had 'restricted builtins contains a DIFFERENT builtin, that happens to have the same name'?
That is, in addition to the ability to simply deny access to a specific builtin function or class, there was the ability to replace one before giving it to the restricted code.
Regards, Nick.
-- Nick Coghlan | Brisbane, Australia Email: ncoghlan at email.com | Mobile: +61 409 573 268
- Previous message: open == file considered harmful (Re: [Python-Dev] RE: rexec.pyunuseable)
- Next message: open == file considered harmful (Re: [Python-Dev] RE: rexec.pyunuseable)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]