Re: [pypy-dev] Sandboxing in Pypy and Crunchy
In a message of Sun, 09 Dec 2007 13:22:10 -0400, "Andre Roberge" writes:
Hello everyone,
Please forget the intrusion but I did not know where else to ask this que stion.
Welcome. This is not an intrusion. You have come to the right place. You may want to start by reading this. http://codespeak.net/pypy/dist/pypy/doc/sandbox.html Cpython is the python you know and use, the one that is written in C. pypy-c is a pypy interpreter, which could be interpreting python, but could also be interpreting prolog, or javascript, or squeak -- and which produces as its output c code that you can run. Just so you don't confuse them as you are reading.
Through my involvement with Google's Highly Open Participation contest, I have learned about the sandboxing capabilities of pypy and, I believe although I can't find it anymore, the ability to limit the time allowed to a given process. Even if this last one is wrong, the sandboxing capability is something I would be extremely interested in using.
The application I have in mind is Crunchy. In a nutshell: Crunchy takes an arbitrary html page (with embedded Python code inside <pre> tags) and transforms it so that the user can execute, in a variety of ways, the Python code displayed in a browser (Firefox) window. It is a different way to interact with code than the ones given as examples on http://play1.codespeak.net/.
Crunchy's user code (executed from the browser window) is not sandboxed. I was wondering how difficult it would be to have it sandboxed.
Here are a few more specific questions:
1 a. Is it possible to create a "sandboxed python interpreter" that can be included as a module distributed with a cPython based program (Crunchy) without having pypy included in the distribution? 1 b. If so, does that module has to be (pre-)compiled for a given target machine?
2. Is it possible to limit the time for a given process (as mentioned abo ve)?
Thank you in advance for anyone that can give me some information regarding the above. If you feel this discussion is not appropriate for this list, please do not hesitate to tell me so and perhaps answer the questions "off-list". And, if the answers are simply: read this URL, and try this example, it would be appreciated as well.
Cheers,
André
This list is the appropriate place for this discussion. But so is #pypy on irc.freenode.net. There you can hold real conversations, so its often faster to figure things out by talking to us there. Can you post the details of the architecture of crunchy? Where does the student's code run? On the student's machine? or on the teacher's server machine? The ability to sandbox is a property of the architecture of pypy. It's not a module that you could port to Cpython. The person you want to sandbox has to be running pypy. Laura
P.S. Crunchy's code is ... the work of two Python hobbyists ... and is probably not worth looking at - I can probably clarify any specific point needed to find out how it works, if needed to answer the questions I raised, better by email than having anyone read its code. _______________________________________________ pypy-dev@codespeak.net http://codespeak.net/mailman/listinfo/pypy-dev
Hi Laura, I should have known that you'd be one of the first to reply. ;-) On Dec 9, 2007 6:04 PM, Laura Creighton <lac@openend.se> wrote:
In a message of Sun, 09 Dec 2007 13:22:10 -0400, "Andre Roberge" writes:
You may want to start by reading this. http://codespeak.net/pypy/dist/pypy/doc/sandbox.html
I had read that, but it was not clear to me.
Cpython is the python you know and use, the one that is written in C. pypy-c is a pypy interpreter, which could be interpreting python, but could also be interpreting prolog, or javascript, or squeak -- and which produces as its output c code that you can run. Just so you don't confuse them as you are reading.
Ok, I had more or less understood that.
[snip]
Here are a few more specific questions:
1 a. Is it possible to create a "sandboxed python interpreter" that can be included as a module distributed with a cPython based program (Crunchy) without having pypy included in the distribution? 1 b. If so, does that module has to be (pre-)compiled for a given target machine?
2. Is it possible to limit the time for a given process (as mentioned abo ve)?
This list is the appropriate place for this discussion. But so is #pypy on irc.freenode.net. There you can hold real conversations, so its often faster to figure things out by talking to us there.
Sorry, I'm too old for the irc stuff ;-)
Can you post the details of the architecture of crunchy?
Hmm, I'm not sure I can do that very well... the best I can do I think is to describe what it does. 1. Crunchy retrieves an html page. 2. It process it, removing pre-existing javascript and various undesired html tags 3. It identifies where it needs to add custom elements (new html tags & javascript code) 4. It feeds the page to the browser, leaving a line of communication open, waiting for user instruction. At step 3. above, a new thread is started for each place in the page where an interaction with a Python interpreter is required. Following user interaction (click of a button or entering some code in an html input box), the user code is fed back to the appropriate interpreter (thread) and the result is sent back to the browser. If I recall correctly, the interpreter used is a small variation from code.py included in Python standard library. It is this part (I believe) that needs to be sandboxed - a single module.
Where does the student's code run? On the student's machine? or on the teacher's server machine?
Right now Crunchy is primarily used in a single user environment. It would be possible to host it on a server, but it would be very insecure to do so. Ideally it should be hosted in a secure way on a server in most situations.
The ability to sandbox is a property of the architecture of pypy. It's not a module that you could port to Cpython. The person you want to sandbox has to be running pypy.
Darn :( I was hoping I could somehow just call a sandboxed interpreter module .... Then again, it means that I'll have to try pypy myself, and play with it - something I meant to do ... but did not for lack of time. It also makes it more of a burden on potential users if they have to install pypy in addition to Crunchy. Thanks for your clarifications,
Laura
PS. Yes, Laura, it is cold and there is snow (unusual at this time of the year) in your beloved Nova Scotia ;-)
Hi André, I'm trying to clear up some confusion: Andre Roberge wrote: [snip]
On Dec 9, 2007 6:04 PM, Laura Creighton <lac@openend.se> wrote:
the student's code run? On the student's machine? or on the teacher's server machine?
Right now Crunchy is primarily used in a single user environment. It would be possible to host it on a server, but it would be very insecure to do so. Ideally it should be hosted in a secure way on a server in most situations.
The ability to sandbox is a property of the architecture of pypy. It's not a module that you could port to Cpython. The person you want to sandbox has to be running pypy.
Darn :( I was hoping I could somehow just call a sandboxed interpreter module ....
The sandboxed PyPy Python interpreter needs to be controlled by an external Python interpreter to provide the virtual environment for the sandbox. This external interpreter can be a completely normal CPython. ASCII diagram: +-----------------------------------------+ | controlling Python interpreter (CPython)| +-----------------------------------------+ | ^ | all communication | v | +----------------------------------+ | sandboxed PyPy Python interpreter| +----------------------------------+ the two boxes are different processes. With a bit of effort, the view of the controlling Python on the sandboxed interpreter can be that of a simple module that provides a sandboxed way to execute Python code. There is also no reason why the outer process cannot control more than one sandboxed interpreter. Therefore the answer to your question might be yes. Deployment-wise it doesn't behave much like an extension module though: You have a bit of pure-Python code for the upper interpreter plus a binary with a full Python interpreter.
Then again, it means that I'll have to try pypy myself, and play with it - something I meant to do ... but did not for lack of time. It also makes it more of a burden on potential users if they have to install pypy in addition to Crunchy.
Yes, probably. However, you just need this solution only if you want the Python code to run on a server, not if the Python code runs on the users machine. Cheers, Carl Friedrich
Thanks, (to all of you) This clarifies things quite a bit. Something to look at in 2008, after the Crunchy 1.0 release. André On 12/10/07, Carl Friedrich Bolz <cfbolz@gmx.de> wrote:
Hi André,
I'm trying to clear up some confusion:
Andre Roberge wrote: [snip]
On Dec 9, 2007 6:04 PM, Laura Creighton <lac@openend.se> wrote:
the student's code run? On the student's machine? or on the teacher's server machine?
Right now Crunchy is primarily used in a single user environment. It would be possible to host it on a server, but it would be very insecure to do so. Ideally it should be hosted in a secure way on a server in most situations.
The ability to sandbox is a property of the architecture of pypy. It's not a module that you could port to Cpython. The person you want to sandbox has to be running pypy.
Darn :( I was hoping I could somehow just call a sandboxed interpreter module ....
The sandboxed PyPy Python interpreter needs to be controlled by an external Python interpreter to provide the virtual environment for the sandbox. This external interpreter can be a completely normal CPython. ASCII diagram:
+-----------------------------------------+ | controlling Python interpreter (CPython)| +-----------------------------------------+ | ^ | all communication | v | +----------------------------------+ | sandboxed PyPy Python interpreter| +----------------------------------+
the two boxes are different processes. With a bit of effort, the view of the controlling Python on the sandboxed interpreter can be that of a simple module that provides a sandboxed way to execute Python code. There is also no reason why the outer process cannot control more than one sandboxed interpreter. Therefore the answer to your question might be yes. Deployment-wise it doesn't behave much like an extension module though: You have a bit of pure-Python code for the upper interpreter plus a binary with a full Python interpreter.
Then again, it means that I'll have to try pypy myself, and play with it - something I meant to do ... but did not for lack of time. It also makes it more of a burden on potential users if they have to install pypy in addition to Crunchy.
Yes, probably. However, you just need this solution only if you want the Python code to run on a server, not if the Python code runs on the users machine.
Cheers,
Carl Friedrich
Em 09/12/2007, às 20:04, Laura Creighton escreveu:
Can you post the details of the architecture of crunchy? Where does the student's code run? On the student's machine? or on the teacher's server machine?
The idea is that you now run it on your on computer, as python is not sandboxed. But with pypy you could run it on an open server without problems. Well there is one problem, someone has to try it on pypy, and then if it work you have to setup a server to run it, to be like the ruby tutorial online (forgot the link). -- Leonardo Santagada
participants (4)
-
Andre Roberge
-
Carl Friedrich Bolz
-
Laura Creighton
-
Leonardo Santagada