[Python-ideas] CLI option for isolated mode

M.-A. Lemburg mal at egenix.com
Fri Nov 9 09:19:04 CET 2012 

On 08.11.2012 23:13, Christian Heimes wrote:
> Hi everybody,
> 
> I like to propose a new option for the Python interpreter:
> 
>   python -I
> 
> It shall start the interpreter in isolated mode which ignores any
> environment variables set by the user and any files installed by the
> user. The mode segregate a Python program from anything an unpriviliged
> user is able to modify and uses only files that are installed by a
> system adminstrator.
> 
> The isolated mode implies -E (ignore all PYTHON* environment vars) and
> -s (don't add user site directory). It also refrains from the inclusion
> of '' or getcwd() to sys.path. TKinter doesn't load and execute Python
> scripts from the user's home directory. Other parts of the stdlib should
> be checked, too.
> 
> The option is intended for OS and application scripts that doesn't want
> to become affected by user installed files or files in the current
> working path of a user.
> 
> The idea is motivated by a couple of bug reports, for example:
> 
> https://bugs.launchpad.net/bugs/938869  lsb_release crashed with SIGABRT
> in Py_FatalError()
> 
> http://bugs.python.org/issue16202  sys.path[0] security issues
> 
> http://bugs.python.org/issue16248  Security bug in tkinter allows for
> untrusted, arbitrary code execution.

Sounds like a good idea. I'd be interested in this, because it would
make debugging user installation problems easier.

The only thing I'm not sure about is the option character "-I". It
reminds me too much of the -I typically used for include paths
in C compilers :-)

BTW: In order to have Python applications respect this flag, there
should be an easy way to access this flag in Python programs, e.g.
sys.ignore_user_env.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Nov 09 2012)
>>> Python Projects, Consulting and Support ...   http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the Python-ideas mailing list