[Python-Dev] new security doc using object-capabilities

Giovanni Bajo rasky at develer.com
Thu Jul 20 13:40:06 CEST 2006


Nick Maclaren wrote:

>> This recipe for safe_eval:
>> http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/496746
>> which is otherwise very cute, does not handle this case as well: it
>> tries to catch and interrupt long-running operations through a
>> secondary thread, but fails on a single long operation because the
>> GIL is not released and the alarm thread does not get its chance to
>> run.
>
> Grin :-)
>
> You have put your finger on the Great Myth of such virtualisations,
> which applies to the system-level ones and even to the hardware-level
> ones.  In practice, there is always some request that a sandbox can
> make to the hypervisor that can lock out or otherwise affect other
> sandboxes.
>
> The key is, of course, to admit that and to specify what is and is
> not properly virtualised, so that the consequences can at least be
> analysed.

I agree, and in fact Brett's work on a proper security model is greatly
welcome. It's just that us mere mortals need to use eval() *now*, and that
recipe is good enough for many practice uses. If you can't win, you can at
least lose with dignity :)
-- 
Giovanni Bajo



More information about the Python-Dev mailing list