[Idle-dev] RE: idle-fork odds and ends

David Scherer dscherer@vysics.com
Sat, 23 Jun 2001 14:41:05 -0400 

> > Understood.  I'll probably give my changes (which are just 
> three new 
> > files pluss diffs to a fourth) to Stephen for 
> consolidation.  I think 
> > the main change that needs to be made to make it safer is that the 
> > parent process (IDLE) should listen for a connection and the 
> > subprocess that executes the commands should connect to the 
> parent. It 
> > is currently the other way around, which is unsafe.  
> Additional safety 
> > measures should also be taken, but I believe this reversal 
> of roles is 
> > essential.
> 
> David, if you have even the teeniest amount of time 
> available, or could 
> recommend someone who's up on the topic  this is one of the 
> things I would 
> appreciate some help on. (Any other volunteers for this?)

I have enough time to answer questions, at least.  I haven't seen
Guido's source, so I can't comment on it.  I can tell you the following
about the code currently in idle-fork:

(1) My implementation of "remote process execution" already works the
way Guido wants: IDLE listens for a connection, then spawns a subprocess
which connects back to IDLE.  This makes it unlikely that an attacker
will be able to connect to the subprocess, although they may be able to
connect to IDLE.  However, my implementation probably isn't secure,
because:

(2) My implementation uses a simple RPC protocol implemented in
protocol.py for communication in both directions.  I took this approach
over simple I/O redirection because I imagined that eventually debugging
functionality would be desired, and RPC would make implementing that
vastly easier.  Since the subprocess can make RPC calls into IDLE,
making IDLE the server doesn't really help.

(3) It seems to me that making the connection between IDLE and its
subprocess in a secure way is a much better solution than trying to make
the protocol itself secure.  I think this is normally done by creating
both the client and server ends of the connection in IDLE, and passing
one end to the subprocess during its creation.  However, I'm not sure
that can be done in a cross-platform way.

Let me know what else you want to know.