Creating a capabilities-based restricted execution system
Sean R. Lynch
seanl at chaosring.org
Sat Jan 3 04:44:34 EST 2004
Paul Rubin wrote:
> Well, I have a dumb question. Have you studied the security failures
> of rexec/Bastion and convinced yourself that they don't happen to your
> new scheme?
If you know of a location where the known shortcomings of rexec are
documented, please let me know. So far I've only seen a couple examples
and a lot of people saying "it's not secure so let's disable it."
My current methodology is to be very careful about adding any privileges
beyond what RestrictedPython allows.
> You might look at the PyPy architecture doc if you haven't yet.
> Making a separate object space for restricted objects may fit PyPy's
> design quite naturally.
I have looked at PyPy. It's very interesting, but RestrictedPython is
already written and in use in Zope.
I think I've figured out a way to use my name mangling scheme to make
attributes only *writable* by code defined on a class from which an
object descends: do writes through a name-mangled method, and have
RestrictedPython output self._mangled_setattr(attr, val) for each
attempted attribute assignment. This will basically make it impossible
to have attributes that are writable from other classes, but I think
it's probably a prerequisite for capabilities. Most other languages
require attributes to be set via methods anyway, right?
More information about the Python-list
mailing list