[Python-Dev] Capabilities

Paul Prescod paul@prescod.net
Tue, 01 Apr 2003 10:29:37 -0800 

Guido van Rossum wrote:
>>How is the implementation of "open" provided by the trusted code to
>>the untrusted code?  Is it possible to provide a different "open"
>>implementation to different "instances" of the zipfile module?  (I
>>think not, as there is no such thing as "a different instance of a
>>module", but perhaps you could have two rexec "workspaces" each of
>>which has a zipfile module with a different "open"?)
> 
> 
> To the contrary, it is very easy to provide code with a different
> version of open().  E.g.:
> 
>   # this executes as trusted code
>   def my_open(...):
>     "open() variant that only allows reading"
>   my_builtins = {"len": len, "open": my_open, "range": range, ...}
>   namespace = {"__builtins__": my_builtins}
>   exec "..." in namespace

That's fair enough, but why is it better for the "protection domain" to 
be an invoked "workspace" instead of an object?

Think of it from a software engineering point of view: you're proposing 
that the right way to manage security is to override more-or-less global 
variables. Zooko is proposing that you pass the capabilities each method 
needs to that method. i.e. standard structured programming.

Let's say that untrusted code wants access to the socket module. The 
surrounding code wants to tame it to prevent socket connections to 
certain IP addresses. I think that in the rexec model, the surrounding 
application would have to go in and poke "safe" versions of the 
constructor into the module. Or they would have to disallow access to 
the module altogether and provide an object that tamed module 
appropriately. The first approach is kind of error prone. The second 
approach requires the untrusted code to use a model of programming that 
is very different than "standard Python."

If we imagined a Python with capabilities were built in deeply, the 
socket module would be designed to be tamed. By default it would have no 
authority at all except that which is passed in. The authority to 
contact the outside world would be separate from all of the other useful 
stuff in the socket module and socket class. I'm not necessarily 
advocating this kind of a change to the Python library...

  Paul Prescod