Restricted Execution on the cheap
Nick Coghlan
ncoghlan at email.com
Tue Nov 30 07:58:16 EST 2004
David Pokorny wrote:
> Hi,
>
> Suppose that one wants to set up a machine to accept python code from,
> say, arbitrary email, and run it safely. Would the following
> (somewhat draconian) precautions be sufficient?
In short, no. Python's introspection capabilities kill you. There are too many
ways to spell things to be certain all the loopholes are closed.
For instance, take a look at the result of:
type(sys.stdout)
Sure, you can add 'type' to the banned list, but eventually the banned list is
so long, writing a useful program is damn near impossible. 'chr' and '__dict__',
for instance, would almost certainly have to be on the banned list, otherwise:
key1 = ''.join([chr(x) for x in [95, 95, 98, 117, 105, 108, 116, 105, 110,
95, 95]])
key2 = ''.join([chr(x) for x in [102, 105, 108, 101]])
sys.modules[key1].__dict__[key2]
It isn't accidental that Bastion and rexec got deprecated - the developers just
can't guarantee that the modules are actually providing adequate protection.
A chroot() jail, setuid() to some permission-less sandbox user and your
monitoring daemon are likely to get you a lot further.
Regards,
Nick.
P.S. Both examples above are bizarre ways of spelling 'file', for anyone who
can't be bothered figuring it out.
More information about the Python-list
mailing list