Private variables

Timothy J. Wood tjw at omnigroup.com
Fri Oct 18 21:49:14 EDT 2002 

On Thursday, October 17, 2002, at 08:41  PM, Delaney, Timothy wrote:
> If your users must truly be considered as adversaries (i.e. you 
> *cannot*
> trust them) then Python is not the correct language to use.

   My goal is to add scripting to a game engine that allows users to 
make their own game types in Python.  Thus I want user to be able to 
package up their scripts and give them to other users with as few as 
possible (ideally zero) security concerns.

> The simple fact is, if someone has the source to your code, or has the
> bytecode, then it doesn't matter what you do to prevent maliciousness 
> - it
> becomes a trivial matter to circumvent.

   I'm actually planning on making rather more substantial changes to 
Python.  In particular, I haven't gotten warm fuzzies from the 
restricted exec stuff and I'd rather strip out everything that accesses 
dangerous system calls.  Yes, this means that many packages won't work, 
but the only package I want to work in my embedded system is mine (some 
others might be useful, but I'm aiming for the minimal useful 
installation).

   So, for example, anything that would access the filesystem would 
instead get bridged to my filesystem APIs (for reading zip files as 
filesystems, as in nearly every other game made today :).  All the 
native module loading, network support, process creation, and anything 
else that looks like it could be misused would be not included in the 
distribution.

   As part of this, I'll definitely disable loading of bytecode (for 
example, my filesystem API could just not return anything with a .pyc 
extension).


> I would suggest you take a long hard look at your requirements and see 
> if
> you truly do need this level of security, or if it would simply be 
> enough to
> have a system which will prevent mistakes (such as a proxy class which
> unconditionally throws an exception from __setattr__).

   I definitely want this level of security.  Any system that allows 
novice users to easily download and execute code modules developed by 
some random unknown person needs this level of security.

   I suppose I could hack something into Python while I'm making all 
these other changes, but if there is an existing way to do this, I'd 
rather invent as little of this as possible :)

   Thanks!

-tim

More information about the Python-list mailing list