[Python-Dev] Reviving restricted mode? (original) (raw)
Benjamin Peterson benjamin at python.org
Sun Feb 22 18:54:54 CET 2009
- Previous message: [Python-Dev] Reviving restricted mode?
- Next message: [Python-Dev] Reviving restricted mode?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sun, Feb 22, 2009 at 10:45 AM, Guido van Rossum <guido at python.org> wrote:
I've received some enthusiastic emails from someone who wants to revive restricted mode. He started out with a bunch of patches to the CPython runtime using ctypes, which he attached to an App Engine bug:
http://code.google.com/p/googleappengine/issues/detail?id=671 Based on his code (the file secure.py is all you need, included in secure.tar.gz) it seems he believes the only security leaks are subclasses, giframe and gicode. (I have since convinced him that if we add "restricted" guards to these attributes, he doesn't need the functions added to sys.)
We have to remember that it's quite trivial to segfault the interpreter with pure Python. (See Lib/test/crashers)
Even if this patch manages to plug all the holes in the current Python, do we really want to commit our selves to maintaining it through language evolution which will surely introduce new subtle ways to circumvent the guard?
IMO, the only fairly close to fool proof method of running restricted python is through something like the PyPy sandbox where all os level calls have to be checked by the master process.
I don't recall the exploits that Samuele once posted that caused the death of rexec.py -- does anyone recall, or have a pointer to the threads?
It was broken by the introduction of new-style classes:
http://mail.python.org/pipermail/python-dev/2002-December/031160.html
-- Regards, Benjamin
- Previous message: [Python-Dev] Reviving restricted mode?
- Next message: [Python-Dev] Reviving restricted mode?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]