[Python-Dev] Another update for PEP 394 -- The "python" Command on Unix-Like Systems
Gregory P. Smith
greg at krypto.org
Wed Feb 27 16:12:52 EST 2019
On Tue, Feb 26, 2019 at 2:28 PM Victor Stinner <vstinner at redhat.com> wrote:
> Le mar. 26 févr. 2019 à 22:24, Gregory P. Smith <greg at krypto.org> a écrit
> > A feature that I find missing from posix-y OSes that support #! lines is
> an ability to restrict what can use a given interpreter.
> Fedora runs system tools (like "/usr/bin/semanage", tool to manager
> SELinux) with "python3 -Es":
> $ head /usr/sbin/semanage
> #! /usr/bin/python3 -Es
> -E: ignore PYTHON* environment variables (such as PYTHONPATH)
> -s: don't add user site directory to sys.path
> Is it what you mean?
Not quite. I meant that python interpreter would need to decide
/usr/sbin/semanage is allowed to use it as an interpreter.
> > Such a restriction could be implemented within the interpreter itself.
> For example: Say that only this set of fully qualified path whitelisted .py
> files are allowed to invoke it, with no interactive, stdin, or command line
> "-c" use allowed. I'm not aware of anyone actually having done that. It's
> hard to see how to do that in a maintainable manner that people using many
> distros wouldn't just naively work around by adding themselves to the
> whitelist rather than providing their own interpreter for their own
> software stack. It feels more doable without workarounds for something
> like macOS or any other distro wholly controlled and maintained as a single
> set of software rather than a widely varying packages.
> Technically, Python initialization is highly customizable: see
> _PyCoreConfig in Include/coreconfig.h.
> But we lack a public API for that :-)
> https://www.python.org/dev/peps/pep-0432/ is a work-in-progress.
> With a proper public API, building your own interpreter would take a
> few lines of C to give you fine control on what Python can do or not.
> Extract of Programs/_freeze_importlib.c (give you an idea of what can be
> _PyCoreConfig config = _PyCoreConfig_INIT;
> config.user_site_directory = 0;
> config.site_import = 0;
> config.use_environment = 0;
> config.program_name = L"./_freeze_importlib";
> /* Don't install importlib, since it could execute outdated bytecode.
> config._install_importlib = 0;
> config._frozen = 1;
> _PyInitError err = _Py_InitializeFromConfig(&config);
> As Petr wrote below, RHEL 8 has a private /usr/libexec/platform-python
> which is the Python used to run system tools (written in Python). But
> this Python isn't customized. I'm not sure that there is a strong need
> to customize Python default configuration for this interpreter.
> Note: Sorry to hijack again this thread with unrelated discussions :-(
> Night gathers, and now my watch begins. It shall not end until my death.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Python-Dev