rexec questions
Alex Martelli
aleaxit at yahoo.com
Tue Aug 7 12:26:50 EDT 2001
"Roman Suzi" <rnd at onego.ru> wrote in message
news:mailman.997127183.21245.python-list at python.org...
...
> >because there isn't much current interest in controlled execution
> >of untrusted Python code, so rexec didn't (I think) mature much
> >after work on Grail more or less stopped.
>
> I've heard Mozilla will have Python applets. How will it
> rexec them?
Do you have an URL? I'd like to investigate that -- with
google I can only find it expressed as a wish. Presumably
Mozilla could easily restrict Python applets *strongly*,
by forbidding things very broadly (just as, say, javascript
code embedded in dynamic-HTML pages is restricted -- it
can interact with the DOM of the HTML page, and that's
just about it).
> >But there are surely
> >other interesting applications for sandboxes for untrusted code,
> >so it may be time to design and implement a rexec2 successor,
> >building upon rexec to add easier customization of security
> >(controlled imports of non-builtin modules too, connections
> >only to hosts on a trusted list, whatever...).
>
> That is what Java's Security Manager (sp?) does. This can
> probably be explained by Python's usage areas. Python is
> not used in applets extensively (if at all).
Since Grail's demise, I do agree that Python isn't often
used to run untrusted code; when it is, I guess rexec's
simple (if draconian) policies suffice, more or less.
Alex
More information about the Python-list
mailing list