[Python-Dev] rexec question

Jeremy Hylton jeremy@zope.com
Mon, 15 Apr 2002 12:58:52 -0400


>>>>> "SP" == Samuele Pedroni <pedroni@inf.ethz.ch> writes:

  SP> what's the general python-dev opinion about rexec security
  SP> enforcement?

  SP> can it be trusted? it is up e.g. to java security?

No.

There's been no serious maintenance of rexec since work on the Knowbot
system stopped, AFAIK.  New-style types, e.g., don't have any of the
same checks that classic classes have.

There are really two parts to rexec:  The basic checks in the
interpreter to limit access to certain objects, and the rexec
import hooks and related mechanism.

The Bastion object plus basic checks in the interpreter limit access
to an object (can't access __dict__, classes are immutable, etc.) in
order to achieve some kind of enforced encapsulation; Java's type
system provides this automatically.

Jim Fulton has suggested use proxies to implement security (mislabelled,
I think, capabilities): 

http://www.zope.org//Wikis/DevSite/Projects/ComponentArchitecture/CapabilityBasedSecurity

I really like this proposal because it takes all the various rexec
checks in the interpreter and pushes them out to a proxy object that
can implement exactly the checks needed.  I'd have more trust in this
mechanism, because there is less code to inspect to review the
encapsulation mechanism.

Jeremy