[Python-Dev] Restricted interpreter

[holger krekel]

Gustavo Niemeyer wrote:
> This weekend I'm going to work on a "restricted" python interpreter for
> http://acm.uva.es/problemset/. That site offers online programming
> contests, including an online judge to check algorithm implementations
> for hundreds of problems. I belive it'd be nice for the Python community
> to have access to something like that.
> 
> This interpreter should have limited functionality so that malicious users
> won't be able to access the filesystem, sockets, and other "dangerous"
> functionality.

If i were to seriously do something like this i'd try to use 'jails' 
as found in free-bsd or similar in UserModeLinux (haven't really 
checked the lattter).  They offer kernel-level sandboxes
and if your execution runs within them it can't compromise the
system even if its manages to become the root user.

there is a fine introductory read regarding security granularity and
about jails:

    http://docs.freebsd.org/44doc/papers/jail/jail.html

have fun,

    holger