Using python for writing models: How to run models in restricted python mode?
Mike Meyer
mwm at mired.org
Mon Nov 7 17:12:30 EST 2005
"vinjvinj" <vinjvinj at gmail.com> writes:
> 1. restrict the user from doing any file io, exec, import, eval, etc. I
> was thinking of writing a plugin for pylint to do all the checks? Is
> this is a good way given that there is no restricted python. What are
> the things I should serach for in python code
Um - I've got a restricted python module: rexec.py. Of course, it
doesn't work correctly, in that it isn't really secure. Python is very
powerful, and creating a secure sandbox is difficult - so much so that
the task has never been accomplished. If you want something that will
keep the obvious things from working, rexec.py might be for you - but
don't kid yourself that it's secure. If you need real security, I'd
consider switching to Jython, which at least has a VM which was
designed with building such sandboxes as a possibility.
> 2. restrict the amount of memory a module uses as well. For instance
> how can I restrict a user from doing a = range(10000000000) or similar
> tasks so that my whole compute farm does not come down.
This is equivalent to trying to limit the amount of CPU time the
module uses, which is better known as the halting problem. There's no
algorithmic solution to that. If you want verify that some module will
only use so much memory before executing it, the best you can do is
verify that they don't do anything obvious. If you want to restrict
them while they are running, you can probably get the OS to
help. Exactly how will depend on your requirements, and the OS
involved.
<Mike
--
Mike Meyer <mwm at mired.org> http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.
More information about the Python-list
mailing list