[Python-Dev] Another update for PEP 394 -- The "python" Command on Unix-Like Systems

Victor Stinner vstinner at redhat.com
Tue Feb 26 17:27:58 EST 2019

Le mar. 26 févr. 2019 à 22:24, Gregory P. Smith <greg at krypto.org> a écrit :
> A feature that I find missing from posix-y OSes that support #! lines is an ability to restrict what can use a given interpreter.

Fedora runs system tools (like "/usr/bin/semanage", tool to manager
SELinux) with "python3 -Es":

$ head /usr/sbin/semanage
#! /usr/bin/python3 -Es

-E: ignore PYTHON* environment variables (such as PYTHONPATH)
-s: don't add user site directory to sys.path

Is it what you mean?

> Such a restriction could be implemented within the interpreter itself. For example: Say that only this set of fully qualified path whitelisted .py files are allowed to invoke it, with no interactive, stdin, or command line "-c" use allowed.  I'm not aware of anyone actually having done that.  It's hard to see how to do that in a maintainable manner that people using many distros wouldn't just naively work around by adding themselves to the whitelist rather than providing their own interpreter for their own software stack.  It feels more doable without workarounds for something like macOS or any other distro wholly controlled and maintained as a single set of software rather than a widely varying packages.

Technically, Python initialization is highly customizable: see
_PyCoreConfig in Include/coreconfig.h.

But we lack a public API for that :-)
https://www.python.org/dev/peps/pep-0432/ is a work-in-progress.

With a proper public API, building your own interpreter would take a
few lines of C to give you fine control on what Python can do or not.

Extract of Programs/_freeze_importlib.c (give you an idea of what can be done):
    _PyCoreConfig config = _PyCoreConfig_INIT;
    config.user_site_directory = 0;
    config.site_import = 0;
    config.use_environment = 0;
    config.program_name = L"./_freeze_importlib";
    /* Don't install importlib, since it could execute outdated bytecode. */
    config._install_importlib = 0;
    config._frozen = 1;

    _PyInitError err = _Py_InitializeFromConfig(&config);

As Petr wrote below, RHEL 8 has a private /usr/libexec/platform-python
which is the Python used to run system tools (written in Python). But
this Python isn't customized. I'm not sure that there is a strong need
to customize Python default configuration for this interpreter.

Note: Sorry to hijack again this thread with unrelated discussions :-(

Night gathers, and now my watch begins. It shall not end until my death.

More information about the Python-Dev mailing list