On 8/16/10 7:01 AM, Roland Koebler wrote: > On Sat, Aug 14, 2010 at 08:01:00PM -0700, Stephen Hansen wrote: >>> As you can see, black listing isn't the best approach here. >> >> But I have a two pronged strategy: the black list is only half of the >> equation. One, I'm blacklisting all the meta functions out of builtins. > But blacklists are *never* secure. Sorry, but you should fully understand > this before even thinking about more detailed security.
And whitelists are never secure, either. There is no such thing as perfectly secure, no. But that is not a goal that I've set for this at all. There's more secure, less secure, more likely to provide a vector for attack, less likely to provide a vector for attack. Every security precaution does end up having a cost: every one weakens the resulting environment or makes something someone wants to do legitimately more hard. Security is always a trade off. The goal is "secure enough" -- and what 'enough' is is going to vary a lot depending on different people's needs. If I were in a situation where I'm executing arbitrary code gathered off of the 'net, that'd be a very different demand and I'd be a lot more keen on finding a perfect sand box (and thus would simply not use Python). That isn't the case here; my relatively untrusted users are uniquely and specifically identifyable and trackable, their interface to the system is logged and actions recorded. There's no money involved in this system, nor possibility that someone could use it to get higher tier access on the parent machine: if someone gets through the sandbox, it'll be a nuisance, hurt some people's enjoyment, harm a community, but really-- it should be able to be fixed pretty rapidly, and then that person utterly locked out. I just want a sandbox that is good enough that it'd be really hard for someone to do that. That's all. Minimize how many times I have to go fix up something. :) > Why are you blacklisting the "known-bad" functions instead of whitelising > the allowed ones?? Because that would annoy some of the other users, who think the status quo isn't really all that bad and that I'm paranoid :) Me, I'm going to go farther on my own installation and kill import entirely, and do a sort of require() which returns a special proxied version of an imported module only if its on a pre-allowed white-list, and even then each individual member of said module will have to be white-listed specifically, too. But in general, I just want a better sandbox that starts things off without getting in anyone's way to do totally legitimate sorts of things. -- Stephen Hansen ... Also: Ixokai ... Mail: me+list/python (AT) ixokai (DOT) io ... Blog: http://meh.ixokai.io/
signature.asc
Description: OpenPGP digital signature
-- http://mail.python.org/mailman/listinfo/python-list
