[Distutils] easy_install runnable in a sandbox environment?
Rick van der Zwet
info at rickvanderzwet.nl
Thu May 10 19:25:17 CEST 2012
On 10 May 2012 05:30, PJ Eby <pje at telecommunity.com> wrote:
> On Wed, May 9, 2012 at 6:42 PM, Rick van der Zwet <info at rickvanderzwet.nl>
>> Quite some time ago, their has been comments in the changelog (06.c4)
>> stating that running easy_install without /dev/urandom should be
>> Fixed not allowing os.open() of paths outside the sandbox, even if
>> they are opened read-only (e.g. reading /dev/urandom for random
>> numbers, as is done by os.urandom() on some platforms).
>> While this was back in 2006, I was wondering what the current state of
>> affairs which regards of requiring the /dev/urandom as of today? Am I
>> looking at a feature request, bug report or design limitation?
> You're confusing easy_install's internal sandboxing with running
> easy_install in a chroot environment. easy_install runs setup scripts in a
> Python sandbox that disallows certain file accesses in order to handle
> badly-coded setup.py files that copy files directly to guessed installation
> locations, instead of relying on the distutils to do the copying. The
> change notes you're reading are discussing *that* sandbox, which is internal
> to Python/setuptools and is unrelated to chrooting.
Spot on, nice! Mounting /dev (mount -t devfs devfs
/usr/local/sandbox/dev) before entering the sandbox will be the
Thanks for explaining.
More information about the Distutils-SIG