[Python-Dev] rexec.py unuseable
Nick Coghlan
ncoghlan at iinet.net.au
Fri Dec 19 08:07:38 EST 2003
Luke Kenneth Casson Leighton wrote:
> in some ways, the longer this is left, the harder it is going to
> be to retrospectively bolt on.
>
> there's an adage that says security cannot be easily added in, it
> has to be designed in from the start.
This is very true, but it hurts an ACL-based approach even worse than it
hurts a capabilities based one.
To get capabilities to work, the question is: how do we construct an
environment where 'builtins' and all other objects passed to code in
that environment have been suitably restricted to prevent malicious code
from causing damage.
The original objects, which are never made available to the untrusted
code, don't need to care about trust issues - they just keep working as
they always have.
To get ACL's to work, _everything_ in Python has to care about trust
issues, as they have to know that they should be checking for the
existence of an ACL.
I can't even begin to imagine how those ACL's might be managed
effectively, but I can imagine constructing a special execution
environment which only allowed 'safe' objects to be passed in.
A 'safe' object would be one of the restricted builtins, or objects able
to be constructed using only that restricted set of builtins. The major
issue comes in dealing with Python's introspection capabilities without
making them completely useless (then again, perhaps 'restricted, with
almost no introspection' would be an improvement over 'no restricted mode'.
Anyway, despite either approach being Python 3.0 material, the
capability method at least seems conceptually possible - deleting
entries out of Python namespace dictionaries is a fairly straightforward
activity, as is substituting a new implementation for the old 'unsafe'
implementation when we want to switch to 'restricted' mode. Whereas
handling ACL's would be a completely new approach that spreads its
tentacles through much of the CPython source code.
For code, capabilities just make more sense - if they can't use it,
don't even let them know it's there.
Cheers,
Nick.
--
Nick Coghlan | Brisbane, Australia
Email: ncoghlan at email.com | Mobile: +61 409 573 268
More information about the Python-Dev
mailing list