[Python-Dev] new security doc using object-capabilities (original) (raw)

Phillip J. Eby pje at telecommunity.com
Mon Jul 24 18:32:32 CEST 2006

• Previous message: [Python-Dev] new security doc using object-capabilities
• Next message: [Python-Dev] new security doc using object-capabilities
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 12:50 AM 7/24/2006 -0700, Brett Cannon wrote:

OK, then I need something clarified. If you read <http://www.zope.org/Wikis/DevSite/Projects/ComponentArchitecture/TransitionToSecurityProxies>http://www.zope.org/Wikis/DevSite/Projects/ComponentArchitecture/TransitionToSecurityProxies , it talks about creating the proxies. I get they restrict attribute access and wrap all returned objects in proxies themselves (unless they are considered safe). But to judge whether an attribute should be returned, it checks the security context.

That depends on the checker. The proxy implementation delegates all access decisions to a "checker" object. Some checkers check permissions, but a NamesChecker just checks a statically-defined list of names.

It also mentions how access to the security policy must be available so that proper security checks can be done to either grant or deny access.

So what I want to know is if this security context is this global thing that proxies access every time to check whether something is allowed or not.

Proxies don't do that; checkers do. The default Checker implementation doesn't even look at a security context if a name is declared public (i.e., it's a NamesChecker). Look at the zope.security.checker module for details.

IOW, to make it a pure capabilities system, you would only delete code, not add any, as far as I can tell.

Or is it a per-object specification?

Each proxy can have its own checker, but an individual checker instance can be shared between proxies.

And what is the security domain for Zope proxies; objects, interpreter, running Python program, what?

There are restricted eval and exec operations to run restricted code.

The primary language limitations imposed are the lack of eval/exec by the restricted code, and lack of support for raise and try/except. Implementing these would require additional compiler hacking to add code to ensure that e.g. tracebacks get wrapped.

• Previous message: [Python-Dev] new security doc using object-capabilities
• Next message: [Python-Dev] new security doc using object-capabilities
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list