[Python-Dev] Another update for PEP 394 -- The "python" Command on Unix-Like Systems
Gregory P. Smith
greg at krypto.org
Wed Feb 27 16:12:52 EST 2019
On Tue, Feb 26, 2019 at 2:28 PM Victor Stinner <vstinner at redhat.com> wrote:
> Le mar. 26 févr. 2019 à 22:24, Gregory P. Smith <greg at krypto.org> a écrit
> :
> > A feature that I find missing from posix-y OSes that support #! lines is
> an ability to restrict what can use a given interpreter.
>
> Fedora runs system tools (like "/usr/bin/semanage", tool to manager
> SELinux) with "python3 -Es":
>
> $ head /usr/sbin/semanage
> #! /usr/bin/python3 -Es
>
> -E: ignore PYTHON* environment variables (such as PYTHONPATH)
> -s: don't add user site directory to sys.path
>
> Is it what you mean?
Not quite. I meant that python interpreter would need to decide
/usr/sbin/semanage is allowed to use it as an interpreter.
-gps
>
> > Such a restriction could be implemented within the interpreter itself.
> For example: Say that only this set of fully qualified path whitelisted .py
> files are allowed to invoke it, with no interactive, stdin, or command line
> "-c" use allowed. I'm not aware of anyone actually having done that. It's
> hard to see how to do that in a maintainable manner that people using many
> distros wouldn't just naively work around by adding themselves to the
> whitelist rather than providing their own interpreter for their own
> software stack. It feels more doable without workarounds for something
> like macOS or any other distro wholly controlled and maintained as a single
> set of software rather than a widely varying packages.
>
> Technically, Python initialization is highly customizable: see
> _PyCoreConfig in Include/coreconfig.h.
>
> But we lack a public API for that :-)
> https://www.python.org/dev/peps/pep-0432/ is a work-in-progress.
>
> With a proper public API, building your own interpreter would take a
> few lines of C to give you fine control on what Python can do or not.
>
> Extract of Programs/_freeze_importlib.c (give you an idea of what can be
> done):
> ---
> _PyCoreConfig config = _PyCoreConfig_INIT;
> config.user_site_directory = 0;
> config.site_import = 0;
> config.use_environment = 0;
> config.program_name = L"./_freeze_importlib";
> /* Don't install importlib, since it could execute outdated bytecode.
> */
> config._install_importlib = 0;
> config._frozen = 1;
>
> _PyInitError err = _Py_InitializeFromConfig(&config);
> ---
>
> As Petr wrote below, RHEL 8 has a private /usr/libexec/platform-python
> which is the Python used to run system tools (written in Python). But
> this Python isn't customized. I'm not sure that there is a strong need
> to customize Python default configuration for this interpreter.
>
> Note: Sorry to hijack again this thread with unrelated discussions :-(
>
> Victor
> --
> Night gathers, and now my watch begins. It shall not end until my death.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20190227/9f5066ed/attachment.html>
More information about the Python-Dev
mailing list