[Python-checkins] r51756 - python/branches/bcannon-objcap/securing_python.txt
brett.cannon
python-checkins at python.org
Wed Sep 6 01:50:50 CEST 2006
Author: brett.cannon
Date: Wed Sep 6 01:50:50 2006
New Revision: 51756
Modified:
python/branches/bcannon-objcap/securing_python.txt
Log:
Finalize list of built-in types that are dangerous and how to handle them.
Modified: python/branches/bcannon-objcap/securing_python.txt
==============================================================================
--- python/branches/bcannon-objcap/securing_python.txt (original)
+++ python/branches/bcannon-objcap/securing_python.txt Wed Sep 6 01:50:50 2006
@@ -27,7 +27,10 @@
* Add objcap.code_new() function [done]
- frame
* do not allow importing 'sys' module to get to
- sys._getframe() or sys._current_frames().
+ sys._getframe(), sys._current_frames(), or setting a trace
+ or profile function.
+ - object() [done]
+ * Remove object.__subclasses__ (`Mutable Shared State`_) [done]
+ Sandboxed versions of built-ins (`Sanitizing Built-In Types`_)
- open()
- __import__() / PEP 302 importer (`Imports`_)
@@ -38,16 +41,16 @@
should also check raising SystemExit)
- input() / raw_input() (XXX make sure it gets its stdin from sys.stdin
and not sys.__stdin__)
- - type() (?)
- - object()
- * Remove object.__subclasses__ (`Mutable Shared State`_) [done]
- * XXX
- globals() / vars() (?)
+ Filesystem path hiding (`Filesystem Information`_)
+ Tweaked stdlib modules
- mini 'sys' module (`Making the ``sys`` Module Safe`_)
+ * XXX mark what attributes are global to the process
- genericpath module (for os.path when C modules blocked)
- socket (`Safe Networking`_)
+ - thread (XXX only if worried about thread resource starvation,
+ interrupt_main() not per-interpreter, and stack_size() can be
+ dangerous)
+ Create sandboxed interpreter stdlib module
- Be able to specify built-ins
- Set 'sys' module settings
@@ -598,17 +601,24 @@
The ``sys`` module is an odd mix of both information and settings for
the interpreter. Because of this dichotomy, some very useful, but
innocuous information is stored in the module along with things that
-should not be exposed to sandboxed interpreters.
+should not be exposed to sandboxed interpreters. This includes
+settings that are global to the Python process along with settings
+that are specific to each interpreter.
This means that the ``sys`` module needs to have its safe information
separated out from the unsafe settings. This will allow an import
proxy to let through safe information but block out the ability to set
values.
+This separation will also require some reworking of the underpinnings
+of how interpreters are created as currently Py_NewInterpreter() sets
+an interpreter's sys module dict to one that is shared by *all*
+interpreters.
+
XXX separate modules, ``sys.settings`` and ``sys.info``, or strip
-``sys`` to settings and put info somewhere else? Or provide a method
-that will create a faked sys module that has the safe values copied
-into it?
+``sys`` to settings and put info somewhere else (interpreter?)? Or
+provide a method that will create a faked sys module that has the safe
+values copied into it?
The safe attributes are:
More information about the Python-checkins
mailing list