[Python-3000] Will we have a true restricted exec environment for python-3000?

Nick Coghlan ncoghlan at gmail.com
Sat Apr 8 12:28:50 CEST 2006 

Martin v. Löwis wrote:
> Vineet Jain wrote:
>> Is it wishful thinking 
>> to have a python restricted exec mode which allows for:
> 
> I would say so, yes: this needs some dedicated maintainer who
> comes up with an architecture, provides an initial implementation,
> and then monitors ongoing changes to make sure nobody can bypass
> the restrictions.
> 
> I don't think any of the regular contributors is interested in
> that kind of project.

I'm interested, but I'm also aware of how much work it would be. I'm 
disinclined to trust any mechanism which allows the untrusted code to run in 
the same process, as the implications of being able to do:

self.__class__.__mro__[-1].__subtypes__()

are somewhat staggering, and designing an in-process sandbox to cope with that 
is a big ask (and demonstrating that the sandbox actually *achieves* that goal 
is even tougher).

And once you move to an out-of-process sandbox, then the only Python specific 
issue remaining is improving the support for inter-process communications. The 
security issues are then more in the domain of the OS:
   - controlling file access permissions on a per-process basis
   - controlling network access permissions on a per-process basis
   - limiting the memory usage of a process
   - limiting the CPU usage of a process

Studying rexec/Bastion and their flaws, investigating OS-based solutions like 
chroot jails, looking at distributed processing frameworks like Kamaelia, and 
then figuring out how to combine the various concepts into a secure 
cross-platform Python restricted execution mechanism is something I would love 
to do.

But it would only be feasible if some angel came along and offered me (or 
somebody else) a full-time job doing it, because there's no way I could do it 
in my spare time and make it work in a usable fashion. Something like this 
would also need the support of an organisation behind it in order to be able 
to jump on security problems quickly.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
---------------------------------------------------------------
             http://www.boredomandlaziness.org

More information about the Python-3000 mailing list