Re: Embedding a restricted python interpreter

Paul Rubin writes on 08 Jan 2005 14:56:43 -0800: > Dieter Maurer <[EMAIL PROTECTED]> writes: > > It uses a specialized compiler that prevents dangerous bytecode operations > > to be generated and enforces a restricted builtin environment. > > Does it stop the user fr

Re: Embedding a restricted python interpreter

Dieter Maurer <[EMAIL PROTECTED]> writes: > It uses a specialized compiler that prevents dangerous bytecode operations > to be generated and enforces a restricted builtin environment. Does it stop the user from generating his own bytecode strings and demarshalling them? -- http://mail.python.

Re: Embedding a restricted python interpreter

Doug Holton <[EMAIL PROTECTED]> writes on Thu, 06 Jan 2005 20:34:31 -0600: > ... > Hi, there is a page on this topic here: > http://www.python.org/moin/SandboxedPython > > The short answer is that it is not possible to do this with the > CPython, but you can run sandboxed code on other virtual mac

Re: Embedding a restricted python interpreter

Paul Rubin schrieb: Best solution would probably be to create a thread for each request that can operate only with the id of an authenticated user. But this seems to be a problem with Apache or with Linux? Threads wouldn't do it--you'd need separate processes. For example, multiple threads in the

Re: Embedding a restricted python interpreter

On Thu, 2005-01-06 at 23:40, Steve Holden wrote: > Jp Calderone wrote: > > [...] > > > > > > A Python sandbox would be useful, but the hosting provider's excuse > > for not allowing you to use mod_python is completely bogus. All the > > necessary security tools for that situation are provide

Re: Embedding a restricted python interpreter

On Thu, 2005-01-06 at 23:05, Peter Maas wrote: > Craig Ringer schrieb: > It would certainly be difficult to track all harmful code constructs. > But AFAIK the idea of a sandbox is not to look at the offending code > but to protect the offended objects: files, databases, URLs, sockets > etc. and to

Re: Embedding a restricted python interpreter

Rolf Magnus wrote: Hi, I would like to embed a python interpreter within a program, but since that program would be able to automatically download scripts from the internet, I'd like to run those in a restricted environment, which basically means that I want to allow only a specific set of modules

Re: Embedding a restricted python interpreter

Rolf Magnus wrote: > I would like to embed a python interpreter within a program, but since > that program would be able to automatically download scripts from the > internet, I'd like to run those in a restricted environment, which > basically means that I want to allow only a specific set of mod

Re: Embedding a restricted python interpreter

Gerhard Haering <[EMAIL PROTECTED]> writes: > > But mod_python is an apache module and runs in the same apache process > > with other users' scripts. > > Which is why it's a good idea for each customer to have it's own > system user and their virtual hosts running under this uid. Which > was the i

Re: Embedding a restricted python interpreter

Peter Maas <[EMAIL PROTECTED]> writes: > I think PHP has a safe mode which solves the probem of isolating > scripts of different users on application level. This is not optimal > but better than nothing. Best solution would probably be to create > a thread for each request that can operate only wit

Re: Embedding a restricted python interpreter

Jp Calderone schrieb: But mod_python is an apache module and runs in the same apache process with other users' scripts. I am uncertain as to how this differs from mod_php (the alternative discussed in the OP's story). I've been away from PHP for a while, so perhaps mod_php has gained some fea

Re: Embedding a restricted python interpreter

On Thu, 6 Jan 2005 16:53:23 +0100, Gerhard Haering <[EMAIL PROTECTED]> wrote: > >--rwEMma7ioTxnRzrJ >Content-Type: text/plain; charset=us-ascii >Content-Disposition: inline >Content-Transfer-Encoding: quoted-printable > >On Thu, Jan 06, 2005 at 07:32:25AM -0800, Paul Rubin wrote: >> Jp Calderone <

Re: Embedding a restricted python interpreter

On Thu, Jan 06, 2005 at 07:32:25AM -0800, Paul Rubin wrote: > Jp Calderone <[EMAIL PROTECTED]> writes: > > A Python sandbox would be useful, but the hosting provider's excuse > > for not allowing you to use mod_python is completely bogus. All the > > necessary security tools for that situation

Re: Embedding a restricted python interpreter

On 06 Jan 2005 07:32:25 -0800, Paul Rubin <"http://phr.cx"@nospam.invalid> wrote: >Jp Calderone <[EMAIL PROTECTED]> writes: > > A Python sandbox would be useful, but the hosting provider's excuse > > for not allowing you to use mod_python is completely bogus. All the > > necessary security too

Re: Embedding a restricted python interpreter

Jp Calderone wrote: [...] A Python sandbox would be useful, but the hosting provider's excuse for not allowing you to use mod_python is completely bogus. All the necessary security tools for that situation are provided by the platform in the form of process and user separation. Not sure this

Re: Embedding a restricted python interpreter

Jp Calderone <[EMAIL PROTECTED]> writes: > A Python sandbox would be useful, but the hosting provider's excuse > for not allowing you to use mod_python is completely bogus. All the > necessary security tools for that situation are provided by the > platform in the form of process and user sepa

Re: Embedding a restricted python interpreter

On Thu, 06 Jan 2005 16:05:50 +0100, Peter Maas <[EMAIL PROTECTED]> wrote: >Craig Ringer schrieb: > > That is my understanding. In fact, I'd say with Python it's nearly > > impossible given how dynamic everything is and the number of tricks that > > can be used to obfuscate what you're doing. Think

Re: Embedding a restricted python interpreter

Craig Ringer schrieb: That is my understanding. In fact, I'd say with Python it's nearly impossible given how dynamic everything is and the number of tricks that can be used to obfuscate what you're doing. Think of the fun that can be had with str.encode / str.decode and getattr/hasattr . It would

Re: Embedding a restricted python interpreter

Check out http://mail.python.org/pipermail/python-dev/2003-January/031851.html for a historical thread on rexec.py's vulnerabilities. Right now, the answer for people who want restricted execution is usually "wait for pypy", due to the number of tricks that can subvert the rexec model. There

Re: Embedding a restricted python interpreter

Fredrick Lundh (at www.effbot.org ) was working on a 'cut down python' that only implements the bits of python he likes !! It would be great if the core of that interpreter could be used as a 'restricted interpreter'. If you could externally disable os, sys, os.path modules etc and limit the set

Re: Embedding a restricted python interpreter

Maurice LING <[EMAIL PROTECTED]> writes: > I won't really count on that. In my opinions, which may be wrong, > Python is not constructed to work in a sandbox like Java. Java does it > by subjecting all classes that it loads through a security > manager. What you seems to want is a Python to have Ja

Re: Embedding a restricted python interpreter

On Wed, 2005-01-05 at 13:43, Maurice LING wrote: > Rolf Magnus wrote: > > Hi, > > > > I would like to embed a python interpreter within a program, but since that > > program would be able to automatically download scripts from the internet, > > I'd like to run those in a restricted environment, wh

Re: Embedding a restricted python interpreter

Rolf Magnus wrote: Hi, I would like to embed a python interpreter within a program, but since that program would be able to automatically download scripts from the internet, I'd like to run those in a restricted environment, which basically means that I want to allow only a specific set of modules

Re: Embedding a restricted python interpreter

Rolf Magnus <[EMAIL PROTECTED]> writes: > I would like to embed a python interpreter within a program, but since that > program would be able to automatically download scripts from the internet, > I'd like to run those in a restricted environment, which basically means > that I want to allow only a

Embedding a restricted python interpreter

Hi, I would like to embed a python interpreter within a program, but since that program would be able to automatically download scripts from the internet, I'd like to run those in a restricted environment, which basically means that I want to allow only a specific set of modules to be used by the