[Python-Dev] Sandboxing Python (original) (raw)

Victor Stinner victor.stinner at gmail.com
Tue Mar 6 00:36:14 CET 2012

For a comparison, PyPy sandbox is a compiled from higher-level language program that by design does not have all sorts of problems described. The amount of code you need to carefully review is very minimal (as compared to the entire CPython interpreter). It does not mean it has no bugs, but it does mean finding segfaults is a significantly harder endeavour. There are no bug-free programs, however having for example to segfault an arbitrary interpreter written in Python would be significantly harder than one in C, wouldn't it?

I agree that the PyPy sandbox design looks better... but some people are still using CPython and some of them need security. That's why there are projects like zope.security, RestrictedPython and others. Security was not included in CPython design. Python is a highly dynamic language which make the situation worse.

I would like to improve CPython security. pysandbox is maybe not perfect, and it may only be a first step to improve security. Even if pysandbox has issues, having a frozendict type would help to secure applications. For example, it can be used later for builtins or to build read-only types.

I agree that each bug, especially segfault, may lead to exploitable vulnerabilities, but it doesn't mean that we should not consider hardening Python because of these bugs. Even if PHP is known for its lack of security and its broken safe_mode, people use it and run it on web server accessible to anyone on the Internet. There are also projects to harden PHP. For example: http://www.hardened-php.net/suhosin/

suhosin patch doesn't avoid the possiblity of segfault but it is harder to exploit them with the patch.

I proposed to start with a frozendict because I consider that it is not only useful for security, and the patch to add the type is not intrusive. Other changes to use the patch can be discussed later, except if you consider that related changes (builtins and read-only type) should be discussed to decide if a frozendict is required or not.

Victor

More information about the Python-Dev mailing list