[Python-Dev] Sandboxing Python (original) (raw)
Victor Stinner victor.stinner at gmail.com
Thu Mar 1 22:59:51 CET 2012
- Previous message: [Python-Dev] Sandboxing Python
- Next message: [Python-Dev] Sandboxing Python
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I challenge anymore to break pysandbox! I would be happy if anyone breaks it because it would make it more stronger.
Hum, I should give some rules for such contest:
- the C module (_sandbox) must be used
- you have to get access to a object outside the sandbox, like a real module, or get access to a blocked resource (like the filesystem)
- the best is to be able to write into the filesystem
- you can use the interpreter ("python interpreter.py") to play with the sandbox, but you have to be able to reproduce with a simple script (e.g. using "python execfile.py script.py")
pysandbox works on Python 2.5, 2.6 and 2.7. It does not officially support Python 3 yet.
Example.
$ python setup.py build $ PYTHONPATH=build/lib.*/ python interpreter.py --allow-path=/etc/issue pysandbox 1.1 Enabled features: codecs, encodings, exit, interpreter, site, stderr, stdin, stdout, traceback (use --features=help to enable the help function)
Try to break the sandbox!
sandbox>>> open('/etc/issue').read() 'Ubuntu 11.10 \n \l\n\n'
sandbox>>> type(open('/etc/issue'))('test', 'w') Traceback (most recent call last): File "", line 1, in TypeError: object.new() takes no parameters
You fail!
I'm interested by vulnerabilities in pysandbox using the Python restricted module (used when _sandbox is missing), but it is not the official mode :-) And it is more limited: you cannot read files for example.
See also sandbox tests to get some ideas ;-)
Victor
- Previous message: [Python-Dev] Sandboxing Python
- Next message: [Python-Dev] Sandboxing Python
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]