open == file considered harmful (Re: [Python-Dev] RE:
rexec.pyunuseable)
Guido van Rossum
guido at python.org
Wed Dec 17 19:12:09 EST 2003
> It would be a lot better if we could get away from the idea
> of a "restricted mode" in the sense of a flag somewhere that
> a bunch of things have to take notice of in order to behave
> securely, because that model of security is prone to springing
> leaks -- as happened in a big way when new-style classes were
> introduced.
Right. Restricted mode currently uses both paradigms: you only have
access to the builtins that are given to you in the __builtins__ dict
-- this is pure capability stuff, and IMO it works well -- and some
builtin operations behave differently when you're in restricted mode
-- this is the ACL stuff, and Samuele revealed serious holes in it.
> The spirit behind my suggestion was to start thinking about
> ways in which functionality could be separated out so that
> this kind of special-casing for security purposes isn't
> needed.
Right.
--Guido van Rossum (home page: http://www.python.org/~guido/)
More information about the Python-Dev
mailing list