Replacement for rexec/Bastion?
Colin Coghill (SFive)
mugginsm at under-the-fridge.com
Tue Aug 26 06:28:03 EDT 2003
Hi, a year or so back some students of mine and I wrote some software
which made use of the rexec module to run untrusted user code relatively
safely. (We were creating a prototype of a mobile-code style app)
I'm now working on another project which will need to be able to
do something similar, and I noticed that rexec and Bastion have been
withdrawn for (in)security reasons.
I've searched fairly hard, and have been unable to find any replacement,
but notice that the source still seems to have some form of restricted
environment available (involving __builtins__ manipulation), but I can't
find any documentation or discussion of this.
Is Python (preferably CPython 2.3) still able to "sandbox" bits of code
under an application provided API safely?
Even Jython or Stackless would be ok, I suppose.
I'd like to be able to have (possibly malicious) users of my software able
to script behavior using small snippets of python code. Anything from a line
to maybe a few pages in length each. I can trap endless loops and the like,
but I need something to stop them just importing sys and raising havoc.
- Colin
More information about the Python-list
mailing list