[Python-Dev] rexec.py unuseable

Luke Kenneth Casson Leighton lkcl at lkcl.net
Tue Dec 16 16:23:12 EST 2003


On Tue, Dec 16, 2003 at 09:14:40PM +0100, Martin v. L?wis wrote:
> Luke Kenneth Casson Leighton <lkcl at lkcl.net> writes:
> 
> > > Also, it seems that nowhere in your proposal you state how ACLs should
> > > be integrated into Python: I.e. what objects are protected by ACLs,
> > 
> >  all objects - if an acl is non-null.
> 
> Does this include functions and bound and unbound methods?
 
 if it's a function, it can potentially have an ACL (or a
 better description is CCL - capabilities control list) added,
 and that CCL applies to all sub-objects of the function.

 same with objects, classes - everything.

 

> > >   3 * 4
> > > 
> > > Is that read, write, execute, and which ACL(s) is(are) considered?
> >  
> >   execute, and execute only, because there's no I/O involved.
> > 
> >   on the multiply operation.
> 
> So what operations require read or write access?

 short answer: all of them.
 
 longer answer: just like with exceptions, that has to be classified
 according to conventions that are yet to be decided.

 i propose that, for example, a capability be created to control _file_
 read access and _file_ write access, with large provisos on the
 documentation attached to these two capabilities that ensure they are
 distinguished from the right to _modify_ an object.


 basically it's all conventions, just like exceptions are conventions.

 all i can do is recommend a framework and some guidelines on what
 conventions could be fitted over that framework.

 heck, it may even be worthwhile defining a low-level object, named
 a Capability, just like an Exception is defined, and then expect
 people to create their own, and recommend the creation of certain
 Capabilities that are inherited from the Capability base class.


> >   but _only_ if there's an actual ACL set _on_ the multiply function.
> > 
> >   if there's no acl set on the multiply function, there's no
> >   restrictions on the multiply function.
> 
> So ACLs on the objects 3 and 4 would be irrelevant?

 well... actually.... no :)

 but are such ACLs relevant?

 can you do 3 += 5?

 no you can't: python throws up a SyntaxError: can't assign to a
 literal.

 so, whilst the answer is yes, you _can_ associate an ACL [or
 better-named, a CCL] with the object "3" and the object "4",
 i would be surprised if there were any situations where they got...
 hang on...

 >>> dir(3)
 ['__abs__', '__add__', '__and__', '__class__', '__cmp__', '__coerce__',
 '__delattr__', '__div__', '__divmod__', '__doc__', '__float__',
 '__floordiv__', '__getattribute__', '__getnewargs__', '__hash__',
 '__hex__', '__init__', '__int__', '__invert__', '__long__',
 '__lshift__', '__mod__', '__mul__', '__neg__', '__new__',
 '__nonzero__', '__oct__', '__or__', '__pos__', '__pow__', '__radd__',
 '__rand__', '__rdiv__', '__rdivmod__', '__reduce__', '__reduce_ex__',
 '__repr__', '__rfloordiv__', '__rlshift__', '__rmod__', '__rmul__',
 '__ror__', '__rpow__', '__rrshift__', '__rshift__', '__rsub__',
 '__rtruediv__', '__rxor__', '__setattr__', '__str__', '__sub__',
 '__truediv__', '__xor__']

 yes, i believe it _might_ be relevant to set a CCL on an object "3"
 because someone might want to restrict how... oh, i dunno... mmm.
 __setattr__ gets used.

 >>> 3.__xor__
            ^
  SyntaxError: invalid syntax

 oh.  maybe not :)


 however, a UserLong or a UserInt is a different matter.

 [btw, change of subject: why is there no __eq__, no __gt__, no __le__
  in that list above?]




> Generalizing this, given a class Foo, with a method bar(), and two
> instances foo1 and foo2:
> 
> foo1 = Foo("/etc/passwd")
> foo2 = Foo("/tmp/nonexistant.yet")
> 
> and considering the calls foo1.bar() and foo2.bar():
> 
> Given that *only* the ACL on the operation bar matters: Does that mean
> that the calls either both succeed or both fail, for a given caller?

 i'm not entirely sure what you mean, but let's assume that objects
 (and their instances!) all have an __set_ccl__() function.

 let's also define a CCL:

 deny_ccl = [('all functions', DENY, 'execute')]

 then, let's try this:

 foo2 = Foo("/etc/passwd")

 Foo.bar.__set_ccl__(deny_ccl)
 foo1 = Foo("/etc/passwd")

 foo2.bar() // executed okay
 
 foo1.bar()
 *** EXCEPTION: execute capability barred to "all functions".

 
 okay, let's try this, first making sure there's no ambiguity by
 re-setting the CCL on the Foo class:

 Foo.bar.__set_ccl__(None)

 okay, now we go:

 foo3 = Foo("/etc/passwd")

 foo3.bar() // executed okay
 foo3.bar.__set_ccl__(deny_ccl)

 foo3.bar() 
 *** EXCEPTION: execute capability barred to "all functions".

 
 note that there are three separate uses of __set_ccl__().

 first is to set a CCL on the _class_ Foo.
 second is to clear a CCL the class Foo.
 third is to set a CCL on an instance of a Foo object.

 just to clarify: i _may_ have just violated my own proposal
 by not setting an "inherited-on-create" capability on the CCL named
 deny_ccl.

 the reason for needing to have such a capability is to be able to
 distinguish between setting CCLs on a class and a CCL being
 created on an object when an instance _of_ that class is created.

 this is part of the lesson learned from NT's security model
 (and originally VMS's) and its implementation.

 
 i won't go into more details on this inherit-on-create thing
 until the rest of the stuff sinks in :)

 l.




More information about the Python-Dev mailing list