[Python-Dev] Fw: Security hole in rexec?

Samuele Pedroni Samuele Pedroni" <pedroni@inf.ethz.ch
Sat, 24 Aug 2002 21:29:24 +0200 

----- Original Message ----- 
From: Troels Therkelsen <t_therkelsen@hotmail.com>
Newsgroups: comp.lang.python
Sent: Saturday, August 24, 2002 6:42 PM
Subject: Security hole in rexec?


> Hello everybody,
> 
> I have managed to stumble onto something with the rexec module that I
> do not quite understand.  As I understand it, the rexec framework is
> meant to create a sandbox area within the Python interpreter,
> technically with an instance of the rexec.RExec class.  It is supposed
> to be impossible to break out of this sandbox unless you do something
> careless like inserting non-rexec objects into the rexec namespace.
> 
> Let me demonstrate with some code:
> 
>   Python 2.2.1 (#1, Jun 27 2002, 10:29:04) 
>   [GCC 2.95.3 20010315 (release)] on linux2
>   Type "help", "copyright", "credits" or "license" for more
> information.
>   >>> import rexec
>   >>> r = rexec.RExec()
>   >>> r.r_exec("import sys; print sys.stdout")
>   Traceback (most recent call last):
>     File "<stdin>", line 1, in ?
>     File "/usr/local/lib/python2.2/rexec.py", line 254, in r_exec
>       exec code in m.__dict__
>     File "<string>", line 1, in ?
>   AttributeError: 'module' object has no attribute 'stdout'
> 
> This is as you'd expect, 'stdout' is not in the default ok_sys_names
> attribute of the rexec.RExec class, so you are not supposed to be able
> to see it from within the 'sandbox'.  But observe:
> 
>   >>> r.r_exec("del __builtins__")
>   >>> r.r_exec("import sys; print sys.stdout")
>   <open file '<stdout>', mode 'w' at 0x80fe2a0>
> 
> If __builtins__ is so critical to the operation of the 'sandbox' how
> is it possible to break it from within the 'sandbox'?  Have I stumbled
> across a bug in rexec?  Have I misunderstood something important?
> 
> I've used the id() function to get the 'address' of the __builtins__
> object and I have verified that the new __builtins__ which gets
> re-added has a different id so it is definitely a different
> __builtins__ than the one I used del on.  It would appear that exec
> and family adds __builtins__ to the namespace it runs in if it doesn't
> exist.  But where does it get it from?  Why doesn't rexec deal with
> this quirk of exec?  Maybe it's a new feature/bug of exec?
> 
> I'll stop with the questions now.  Suffice to say, I really need rexec
> :-)
> 
> Best regards,
> 
> Troels Therkelsen