[Python-Dev] Reviving restricted mode? (original) (raw)

Chris Angelico rosuav at gmail.com
Wed Aug 13 19:06:01 CEST 2014

• Previous message: [Python-Dev] Reviving restricted mode?
• Next message: [Python-Dev] Reviving restricted mode?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Aug 14, 2014 at 2:58 AM, Steven D'Aprano <steve at pearwood.info> wrote:

It's certainly not fundamentally impossible to sandbox Python. However, the question becomes one of how much effort you're going to go to and how much you're going to restrict the code. I believe that PyPy has an effective sandbox, but to what degree of effectiveness I don't know.

""" A potential attacker can have arbitrary code run in the subprocess, but cannot actually do any input/output not controlled by the outer process. Additional barriers are put to limit the amount of RAM and CPU time used.

Note that this is very different from sandboxing at the Python language level, i.e. placing restrictions on what kind of Python code the attacker is allowed to run (why? read about pysandbox). """

That's quite useful, but isn't the same thing as a Python-in-Python sandbox (or even what I was doing, Python-in-C++).

ChrisA

• Previous message: [Python-Dev] Reviving restricted mode?
• Next message: [Python-Dev] Reviving restricted mode?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list