[IPython-dev] cluster file syntax [redirect from ipy-user]

Fernando Perez Fernando.Perez at colorado.edu
Fri Mar 17 02:43:19 EST 2006

[redirecting to ipython-dev, where this is more on-topic]

Brian Granger wrote:
> I would say we should use python for this.  I am not worried about
> security in the config files.  It there is security critical
> information (like passwords to remote machines) we can come up with a
> secre way of storing them alone.  So let's go with the python file
> option.

Well, let's think about it just a little longer: the issue is not only 
passwords, it's also the execution of arbitrary code upon loading.  A simple 
key/value format is not executable, so short of gross bugs in the parser, 
there's no room for hostile code injection.  OTOH, a python format means 
executing it with something like execfile() or import, point at which the 
whole thing can do anything it wants (including os.system('rm -rf ~')).

It is a minor concern, but I do worry that for the audience this can be 
pitched to, it may be better to nip in the bud any fears that the config files 
(needed to start the clusters) can have potential security implications of 
that nature.  What do you think?

> Have you standardized on how IPython will do this exactly?  I will
> probably begin to look through ipython trunk to see how it is being
> done currently.  If you any other implementation ideas, let me know.

As I was writing this, I saw Ville's message on ipython-user, so there's 
already something in that direction in place.  I need to look at this code to 
see exactly if it does everything we need in the long run, but it whatever we 
do we'll evolve from there.

> Brian

[ leaving for context on ipython-dev ]

> On 3/16/06, Fernando Perez <Fernando.Perez at colorado.edu> wrote:
>>Brian Granger wrote:
>>>While we are making this change, do we want to also change the format
>>>of this file?  It would be nice to have it be human readable/editable.
>>> My preference would have it be a valid python file, but I am not sure
>>>of the best way of doing this.  You have thought a lot more about
>>>config files than I have.  Any thoughts?
>>Well, the big question with config files is whether to use python itself as
>>the language, or something else and parse it.  Brief comparison:
>>1. Use python.
>>Pros: no parsing required (well, we get it for free from python itself),
>>extremely flexible for the users, they can put any logic they want.
>>Cons: security, mostly: arbitrary code can execute there.  And a little bit of
>>potential complexity, as variables need to be declared in the file.
>>2. Use something else.
>>The easiest in terms of dependencies is the basic ConfigParser format:
>>Pros: safe, easy to read and write.  Security is really the big plus.
>>Cons: more parsing involved, and more work to transform values defined in the
>>file into python objects we need.  Less flexibility for users (it's a
>>key/value file, not a programming language, so no logic allowed).
>>In this particular case, I'm not sure the security issue is that big of a
>>deal, since this is a system to execute arbitrary python code anyway.  But
>>given how paranoid one may want to be...
>>For ipython itself, I'm /definitely/ going with (1) in the future, but that's
>>an easy one.  People load arbitrary code in their rc file anyway, it's just
>>that today's system makes it inconvenient; I want it to be easy.
>>For the cluster config format, we could certainly go with (2) if you prefer to
>>play it safe, even though it will be a tiny bit more work for us, and less
>>flexible for users.
>>This message scanned for viruses and SPAM by GWGuardian at SCU (MGW1)
> --
> Brian Granger
> Santa Clara University
> ellisonbg at gmail.com

More information about the IPython-dev mailing list