Building a "safe" python?

[Gabriel Genellina]

En Thu, 27 Mar 2008 16:29:23 -0300, <martin.nordstrom87 at gmail.com>  
escribió:

> I'm making a game where you'll be able to make your own mods and I
> want to be able to write these mods in python. However, python has a
> lot of "dangerous" functions (like erase any file on the harddrive
> etc) so I want a "safe" python. I first found RExec but that is
> disabled in python 2.5 so I was thinking about building python from
> source with a few changes.
> The changes I was thinking about was to change the import function so
> that it should only be able to import the .pyd-files that I allow (and
> it should of course still be able to import any .py-file) and remove
> or change the builtin functions that are "dangerous".
> Is this enough to make a "safe" python that can't do anything
> "dangerous"?

No, and that's the reason for rexec/bastion removal. There are several  
ways to circumvent it. By example, if the user can get access to a file  
object, he can open any other file using type(f)("anyotherfile"). If he  
can get an object defined in your code:

py> type(x).some_method.func_globals['__builtins__'].__import__
<built-in function __import__>

and then import anything.

I think that a highly reputed Python developer made some time ago a really  
safe version and nobody could spot any holes, but I can't find the  
reference.

> I'm going to embed this "safe" python into my game and I've discovered
> that when I embed the original python and the mod wants to import
> a .py-file that is not in the game directory it will search for
> the .py-file in the python directory that is installed on my computer.
> Can I somehow prevent the embedded python to look in the python
> directory?

Python looks along sys.path for importing things. Sorry but if you don't  
know that you shouldn't try to build a safe Python version on your own -  
at least you should have a lot of doubts that it is actually safe.

-- 
Gabriel Genellina