Re: Security test of embedded Python

On 22-6-2011 4:44, Chris Angelico wrote: > Followup: The test box has been administratively taken offline after > about an hour of testing. Thank you to everyone who participated; it > seems we have a lot of changes to make! > > Monty failed the test. But it was an incredibly successful test. And

Re: Security test of embedded Python

Hi, The Google App Engine product seems to sandbox Python code, however it comes with a lot of limitations and maybe those can be an inspiration for how you design your infrastructure. http://code.google.com/appengine/docs/python/overview.html http://code.google.com/appengine/kb/commontasks.html

Re: Security test of embedded Python

Chris Angelico writes: > Meanwhile, I'm looking into V8 and whether we can do everything we > need to that way, and how much dev time it's going to take me to > change languages... If you want to run Python, one obvious approach is a controlled-execution wrapper like Geordi uses. -- http://mail.

Re: Security test of embedded Python

On Wed, Jun 22, 2011 at 1:09 PM, Benjamin Kaplan wrote: > Use Pyjamas with that and now you have your sandboxed Python :) > Not a day goes past without a reminder that I haven't yet explored Pyjamas! :) Monty's back online now in a restricted environment. I'm going to a meeting in a couple of ho

Re: Security test of embedded Python

On Tue, Jun 21, 2011 at 7:40 PM, Paul Rubin wrote: > Chris Angelico writes: >> I'll also be looking into Pike. Unfortunately its community is far >> smaller than Python's, so security holes may be less obvious. > > Actually the most obvious and widespread sandboxed language these days > is Javasc

Re: Security test of embedded Python

Chris Angelico writes: > I'll also be looking into Pike. Unfortunately its community is far > smaller than Python's, so security holes may be less obvious. Actually the most obvious and widespread sandboxed language these days is Javascript. There's several embeddable implementations. Maybe you

Re: Security test of embedded Python

Followup: The test box has been administratively taken offline after about an hour of testing. Thank you to everyone who participated; it seems we have a lot of changes to make! Monty failed the test. But it was an incredibly successful test. And hopefully, we'll be bringing things back online for

Re: Security test of embedded Python

On Wed, Jun 22, 2011 at 12:02 PM, Paul Rubin wrote: > Chris Angelico writes: >> users to supply scripts which will then run on our servers... >> The environment is Python 3.3a0 embedded in C++, running on Linux. > > This doesn't sound like a bright idea, given the well-known difficulty > of sandb

Re: Security test of embedded Python

Chris Angelico writes: > users to supply scripts which will then run on our servers... > The environment is Python 3.3a0 embedded in C++, running on Linux. This doesn't sound like a bright idea, given the well-known difficulty of sandboxing Python. Geordi

Security test of embedded Python

I'm involved in the construction of an environment that allows end users to supply scripts which will then run on our servers. We need to be able to offer the full flexibility of a scripting language, but without the risk of compromise to our computers. To that end, we have set up a system with pre