[Python-Dev] Embedded python module search path

Shane Hathaway shane at zope.com
Mon Aug 25 13:22:00 EDT 2003 

Jack Jansen wrote:
> On Monday, August 25, 2003, at 06:36 AM, Guido van Rossum wrote:
> 
>> Well, in standard Python, the only access to the system is *also*
>> through extension modules -- if you count __builtin__ as an extension
>> module.  The other extension module you want to avoid is the posix
>> module (under Windows, the nt module).  It should be a simple matter
>> to remove this from your module search path.
> 
> 
> No, it isn't: simply doing "open = type(sys.stdout)" will revive open
> for you. So you'd really have to make sure no file objects are accessible
> either. And there's lots more loopholes like this.
> 
> With the current type system I think the only real solution would be
> to block this at a very low level, i.e. removing file objects from your
> build, or at least completely disabling their side-effects.

FWIW, Zope takes an approach to restricted Python code that's worth 
considering.  We once thought rexec and Bastion would eventually 
supercede Zope's "RestrictedPython" package, so not a lot of effort went 
into non-Zope-specific documentation.  However, RestrictedPython has 
outlived both rexec and Bastion, so maybe detailed documentation would 
now be valuable.

Here is a general overview of the approach RestrictedPython takes:

- All builtins and modules are guilty until proven innocent.  Restricted 
modules have a special __builtins__ and an __import__ hook.

- We use a modified compiler, based on the now-standard compiler module, 
to prevent exec statements and hook print statements.  The compiler also 
adds hooks for getattr, setattr, delattr, getitem, setitem, and delitem 
operations.  Augmented assignment is disallowed (too complicated to 
support.)

- The type() builtin is considered unsafe.  It opens a big unknown. 
However, a same_type() builtin is provided, which is close enough for 
most purposes.  There are safe equivalents for other builtins as well.

- Here's the hard one for some people to swallow: the compiler prevents 
restricted scripts from using names that start with an underscore. 
Being able to define a name like "__import__" could get around the hooks.

This might be considered draconian, but no one has spotted any holes yet 
in the safety net, and the benefit of being able to script in Python 
outweighs the losses.  It doesn't implement resource limitations, like 
preventing scripts from eating up all available RAM or simply never 
terminating.  True resource limitations would require running scripts in 
a separate process.  RestrictedPython is also a boring name.  However, 
RestrictedPython is safer than anything else we know of in the Python world.

Shane

More information about the Python-Dev mailing list