Securing the Pyton Interpreter?

[Stephen VanDahm]

In article <yu99he5ogdnx.fsf at tinker.research.att.com>, Andrew Koenig wrote:
> Stephen> I'm looking for a way to install Python on a UNIX machine in
> Stephen> a way such that any user on the system can use it, but only
> Stephen> to execute scripts that are located in a certain directory.
> 
> Why?  If I were a user on that machine and wanted to execute Python
> scripts in a different directory, how would you stop me from installing
> Python on my own and using it for those scripts?
> 


Andrew,

I'm a member of a Public Access UNIX system.  Some users on the system are 
allowed to use development tools (like Python) and other aren't.  Also, 
some users are allowed to install software that they've written into a 
publically accessible area so that everyone on the system can use it.  The 
problem is that if the software is written in a language like Python, 
regular users won't be able to use the Python interpreter to run it, and 
the Python programs that we write won't be very useful.  Some of us want 
to install a second interpreter that's been secured somewhat so that 
people can run our programs without being able to execute arbitrary 
Python programs.

You are correct that nothing (in principle) prevents someone from 
installing another Python interpreter in $HOME/bin and running whatever 
they want.  In fact, that's kind of what *we're* doing.  But since I 
neither make nor enforce the rules, it isn't my problem if other people 
try to break them.

Basically, I need to do this for bureaucratic reasons.  I know it's a 
hack, and that it sounds like a stupid thing to do, but it's the best 
available option for us....

Thanks for the reply,

Steve