Private variables
Timothy J. Wood
tjw at omnigroup.com
Fri Oct 18 21:49:14 EDT 2002
On Thursday, October 17, 2002, at 08:41 PM, Delaney, Timothy wrote:
> If your users must truly be considered as adversaries (i.e. you
> *cannot*
> trust them) then Python is not the correct language to use.
My goal is to add scripting to a game engine that allows users to
make their own game types in Python. Thus I want user to be able to
package up their scripts and give them to other users with as few as
possible (ideally zero) security concerns.
> The simple fact is, if someone has the source to your code, or has the
> bytecode, then it doesn't matter what you do to prevent maliciousness
> - it
> becomes a trivial matter to circumvent.
I'm actually planning on making rather more substantial changes to
Python. In particular, I haven't gotten warm fuzzies from the
restricted exec stuff and I'd rather strip out everything that accesses
dangerous system calls. Yes, this means that many packages won't work,
but the only package I want to work in my embedded system is mine (some
others might be useful, but I'm aiming for the minimal useful
installation).
So, for example, anything that would access the filesystem would
instead get bridged to my filesystem APIs (for reading zip files as
filesystems, as in nearly every other game made today :). All the
native module loading, network support, process creation, and anything
else that looks like it could be misused would be not included in the
distribution.
As part of this, I'll definitely disable loading of bytecode (for
example, my filesystem API could just not return anything with a .pyc
extension).
> I would suggest you take a long hard look at your requirements and see
> if
> you truly do need this level of security, or if it would simply be
> enough to
> have a system which will prevent mistakes (such as a proxy class which
> unconditionally throws an exception from __setattr__).
I definitely want this level of security. Any system that allows
novice users to easily download and execute code modules developed by
some random unknown person needs this level of security.
I suppose I could hack something into Python while I'm making all
these other changes, but if there is an existing way to do this, I'd
rather invent as little of this as possible :)
Thanks!
-tim
More information about the Python-list
mailing list