[Python-Dev] Re: rexec.py unuseable
Luke Kenneth Casson Leighton
lkcl at lkcl.net
Tue Dec 16 13:35:41 EST 2003
On Tue, Dec 16, 2003 at 07:13:21AM -0800, Michael Chermside wrote:
> Suppose that had some code which had an object representing a
> directory, with a method "open(filename, mode='r')" that opened
> files in the directory. Given this object, you could imagine
> constructing new objects with more limited capabilities.
yep. in a very simple manner, with capabilities lists.
> instance, you might create a readOnlyDirectory object which had
> a method "open(filename)" that didn't allow specifying the mode
> as anything but 'r'. Or you might open a file and then pass a
> file object with "read()", "write()", "seek()", and other such
> methods, which would only access that file.
this could be achieved very simply by setting a CCL with
"deny everything" permissions on an object that, ordinarily,
had a full set of functions with NO restrictions, but leaving
_and_ also, importantly, adding a CCL onto the __builtins__ etc
as already discussed to restrict bypassing.
> So _IF_ the only way to access files were through this object (and
> that's a BIG if), then you could imagine a world where HAVING and
> object was equivalent to being able to do something. If a bit of
> code had access to a read-only-file object then it could read that
> file, but couldn't write to it, or do anything else with the file
> system unless it ALSO had access to some OTHER objects.
> capabilities... and it would work for most kinds of restricted
> resources, not just the file system. The key idea is that HAVING
> a pointer to the object is equivalent to having the permission to
> USE that object, and whatever it provides access to.
ah... that's where you and i differ, based on my experience of
ACLs in NT.
i envisage a separate "execute" permission from a "read" and "write"
permission, a bit like directory permissions on a POSIX filesystem.
under such a scheme where "execute" capability permission exists
as well as "read" and "write", simply having access to an object
does NOT guarantee you any rights to CALL that object, because if
it doesn't have "execute" permission you can't execute [viz, call]
... but what you _can_ do is pass that object to another function which
_does_ have execute permissions.
how the hell is _that_ achieved, i hear you say???
well imagine a CCL as follows:
[('totally_restricted_function, 'DENY', 'All permissions'),
('slightly_less_restricted_function', 'ALLOW', 'execute and read')]
and this CCL is applied to the above-mentioned readOnlyDirectory
if totally_restricted_function() calls
slightly_less_restricted_function(), passing a readOnlyDirectory object
to it, then according to the CCL above, ONLY
slightly_less_restricted_function() may call functions in that
More information about the Python-Dev