Creating a capabilities-based restricted execution system

Sun Jan 4 20:28:04 EST 2004

"Serge Orlov" <sombDELETE at pobox.ru> wrote in message
news:btac4k$1ekr$1 at nadya.doma...
>
> "John Roth" <newsgroups at jhrothjr.com> wrote in message
news:vvh75ienj7g244 at news.supernews.com...
> >
> > "Serge Orlov" <sombDELETE at pobox.ru> wrote in message
> > news:bta2ng$16v7$1 at nadya.doma...
> > >
> > > "John Roth" <newsgroups at jhrothjr.com> wrote in message
> > news:vvg0h93ue63c0b at news.supernews.com...
> > > >
> > > > One problem I've been playing around with is: how would you
> > > > implement something functionally equivalent to the Unix/Linux
> > > > chroot() facility? The boundaries are that it should not require
> > > > coding changes to the application that is being restricted, and it
> > > > should allow any and all Python extension (not C language
> > > > extension) to operate as coded (at least as long as they don't
> > > > try to escape the jail!) Oh, yes. It has to work on Windows,
> > > > so it's not a legitimate response to say: "use chroot()."
> > >
> > > I don't see any unsolvable problems. Could you be more specific
> > > what is the problem? (besides time, money, need to support
> > > alternative python implementation, etc...)
> >
> > Well, I don't see any unsolvable problems either. The biggest
> > sticking point is that the Unices use hard links to create
> > a directory tree that has the necessary programs availible.
> > Windows does not have this capability, so an implementation
> > would have to build a virtual directory structure, intercept all
> > paths and map them to the virtual structure backwards and
> > forwards.
> >
> > The reason I find it an interesting problem is that I can't see
> > any way to do it with the kind of "generic" facility that was
> > in the Python Restricted execution facility,  at least without a
> > complete redesign of the file and directory functions and
> > classes in the os module. Without that, it would
> > require code in the C language implementation modules.
> > Right now the file and directory management modules are a
> > real mess.
>
> Right, you can do it with a custom importer and wrapper
> functions over all file and directory functions. But that's
> a mess over a mess and any mess is *bad* for security.
> The way out the mess is probably filepath object that
> should consolidate all access to files and directories.
> If you wanted to make a point that std library should
> be designed with security in mind I agree with you.
> One step in that direction is to design everything OO.
> OO design plays nice with capabilities.
>
> -- Serge.

Sean Ross took a pass at this idea in the thread
"Finding File Size" starting on 1/1. That got renamed
to "Filename Type" somewhere fairly quick.

There's now a pre-pep  http://tinyurl.com/2578q
for the notion, thanks to Gerrit Holl.

John Roth
>
>