[Python-Dev] Embedded python module search path

Guido van Rossum guido at python.org
Sun Aug 24 22:36:54 EDT 2003

> I realize rexec will not be coming back.  I don't need full rexec, I have a
> much simpler requirement - I don't want the python interpreter to have
> access to the system.  The embedding app (Daedalus) handles feeding in of
> modules and content through  Py_CompileString and  PyImport_ExecCodeModule,
> as well as building local namespaces in which the code is run.  Any access
> to the embedding system is through custom data types and extension modules.
> My point is that none of the system builtins or major modules are used - and
> those builtins and modules are what allow the user to access and corrupt the
> system.  While much of the builtins are still needed (basic data types, etc)
> most of the built-in functions such as filesystem and systemcalls are
> liabilities.  They could play with the file system, manipulate the system,
> and do other things.  So, my question is this: is there any way to compile
> Python as a true standalone?  That is, the only access to the system is
> through extension modules?  I can't find any documentation on how to control
> what builtin modules and functions are compiled in with Python.
> Is there any interest in such a project?  Or, if I develop this myself
> (although I have no idea how secure it could be - I don't know the builtins
> very well) would be any interest in makign a patch/PEP of it?  This sort of
> thing would be a boon to anyone embedding python.  I believe many embedded
> apps could use this sort of feature (at the very least to keep the bloat
> down).

Well, in standard Python, the only access to the system is *also*
through extension modules -- if you count __builtin__ as an extension
module.  The other extension module you want to avoid is the posix
module (under Windows, the nt module).  It should be a simple matter
to remove this from your module search path.  If you are right that
you don't need access to the few builtins that can do system calls at
all (I think it's just open and file, but you may want to check), you
can simply delete them from the __builtin__ module at the start.  I
would delete remove as well, since remove(__builtin__) brings deleted
builtins back to life.  And you'd have to provide an __import__
replacement that restricts what you can import; but again you can do
that at the start, before running any untrusted code.

Is this clear, or do you need more explanation?

(PS: sorry for the empty email I sent you before.  My fingers

--Guido van Rossum (home page: http://www.python.org/~guido/)

More information about the Python-Dev mailing list