Chris Withers wrote:
> Hi All,
>
> I'm trying to build a secure execution environment for bits of python
> for two reasons:
>
> - to allow users of the system to write scripts in python without
> circumventing the application's security model
>
> - to allow the system to have an environment where security is handled
> without having to do explicit checks in every piece of example code.
>
> This second point is better demonstrated by an example:
>
> Bad:
>
> >>> from security import check,AccessDenied
> >>> if check(someobj,'someattr'):
> >>> print someattr
> >>> else:
> >>> raise AccessDenied("can't access 'someattr')
> Traceback (most recent call last):
> File "<stdin>", line ?, in ?
> AccessDenied: can't access 'someattr'
>
> Good:
>
> >>> someobj.someattr
> Traceback (most recent call last):
> File "<stdin>", line ?, in ?
> AccessDenied: can't access 'someattr'
>
> Now, I think I can get a lot of this from Zope 3's security proxy
> objects, however I need to find a way to limit the importing of modules
> to, for example, prevent people importing the method that unwraps the
> proxy objects ;-)
>
> Have other people bumped into this problem?
> What solutions do people recommend?
>
Once upon a time, there has been a module called "bastillon" (am I
right?) and "rexec" (restricted execution environment) but they were not
really secure. It was a long time ago. Python is very flexible, and
interpreted and it is hard to prevent the users from importing modules.
They can do nasty things. For example, open a file and eval() it etc. It
is almost impossible to setup an environment in pure Python, that
restricts them to do certain things. Python is too flexible for that,
and "bad" users are too ingenious.
I would say, the only reliable solution is to use a virtual machine. For
example, use chroot, jail (under FreeBSD) or wmware, and install only
the allowed modules on that virtual computer. Install firewall rules to
prevent the user from connecting to any host, use a write-protected
disk, have them use nobody:nogroup etc. And finally, open one port where
they can connect to your protected internal server that will check
permissions and do the actual job for them. In other words, let the
operating system restrict the resources. Well, this is what I would do,
maybe I'm wrong. I have never had to do this.
Best,
Laszlo
--
http://mail.python.org/mailman/listinfo/python-list
