[Python-Dev] Sandboxing Python

Victor Stinner victor.stinner at gmail.com
Tue Mar 6 00:36:14 CET 2012


> For a comparison, PyPy sandbox is a compiled from higher-level
> language program that by design does not have all sorts of problems
> described. The amount of code you need to carefully review is very
> minimal (as compared to the entire CPython interpreter). It does not
> mean it has no bugs, but it does mean finding segfaults is a
> significantly harder endeavour. There are no bug-free programs,
> however having for example to segfault an arbitrary interpreter
> *written* in Python would be significantly harder than one in C,
> wouldn't it?

I agree that the PyPy sandbox design looks better... but some people
are still using CPython and some of them need security. That's why
there are projects like zope.security, RestrictedPython and others.
Security was not included in CPython design. Python is a highly
dynamic language which make the situation worse.

I would like to improve CPython security. pysandbox is maybe not
perfect, and it may only be a first step to improve security. Even if
pysandbox has issues, having a frozendict type would help to secure
applications. For example, it can be used later for __builtins__ or to
build read-only types.

I agree that each bug, especially segfault, may lead to exploitable
vulnerabilities, but it doesn't mean that we should not consider
hardening Python because of these bugs. Even if PHP is known for its
lack of security and its broken safe_mode, people use it and run it on
web server accessible to anyone on the Internet. There are also
projects to harden PHP. For example:
http://www.hardened-php.net/suhosin/

suhosin patch doesn't avoid the possiblity of segfault but it is
harder to exploit them with the patch.

I proposed to start with a frozendict because I consider that it is
not only useful for security, and the patch to add the type is not
intrusive. Other changes to use the patch can be discussed later,
except if you consider that related changes (__builtins__ and
read-only type) should be discussed to decide if a frozendict is
required or not.

Victor


More information about the Python-Dev mailing list