open == file considered harmful (Re: [Python-Dev] RE: rexec.pyunuseable)

Guido van Rossum guido at
Wed Dec 17 19:12:09 EST 2003

> It would be a lot better if we could get away from the idea
> of a "restricted mode" in the sense of a flag somewhere that
> a bunch of things have to take notice of in order to behave
> securely, because that model of security is prone to springing
> leaks -- as happened in a big way when new-style classes were
> introduced.

Right.  Restricted mode currently uses both paradigms: you only have
access to the builtins that are given to you in the __builtins__ dict
-- this is pure capability stuff, and IMO it works well -- and some
builtin operations behave differently when you're in restricted mode
-- this is the ACL stuff, and Samuele revealed serious holes in it.

> The spirit behind my suggestion was to start thinking about
> ways in which functionality could be separated out so that
> this kind of special-casing for security purposes isn't
> needed.


--Guido van Rossum (home page:

More information about the Python-Dev mailing list