[Python-Dev] Another update for PEP 394 -- The "python" Command on Unix-Like Systems

Wed Feb 27 16:12:52 EST 2019

On Tue, Feb 26, 2019 at 2:28 PM Victor Stinner <vstinner at redhat.com> wrote:

> Le mar. 26 févr. 2019 à 22:24, Gregory P. Smith <greg at krypto.org> a écrit
> :
> > A feature that I find missing from posix-y OSes that support #! lines is
> an ability to restrict what can use a given interpreter.
>
> Fedora runs system tools (like "/usr/bin/semanage", tool to manager
> SELinux) with "python3 -Es":
>
> $ head /usr/sbin/semanage
> #! /usr/bin/python3 -Es
>
> -E: ignore PYTHON* environment variables (such as PYTHONPATH)
> -s: don't add user site directory to sys.path
>
> Is it what you mean?

Not quite.  I meant that python interpreter would need to decide
/usr/sbin/semanage is allowed to use it as an interpreter.

-gps

>
> > Such a restriction could be implemented within the interpreter itself.
> For example: Say that only this set of fully qualified path whitelisted .py
> files are allowed to invoke it, with no interactive, stdin, or command line
> "-c" use allowed.  I'm not aware of anyone actually having done that.  It's
> hard to see how to do that in a maintainable manner that people using many
> distros wouldn't just naively work around by adding themselves to the
> whitelist rather than providing their own interpreter for their own
> software stack.  It feels more doable without workarounds for something
> like macOS or any other distro wholly controlled and maintained as a single
> set of software rather than a widely varying packages.
>
> Technically, Python initialization is highly customizable: see
> _PyCoreConfig in Include/coreconfig.h.
>
> But we lack a public API for that :-)
> https://www.python.org/dev/peps/pep-0432/ is a work-in-progress.
>
> With a proper public API, building your own interpreter would take a
> few lines of C to give you fine control on what Python can do or not.
>
> Extract of Programs/_freeze_importlib.c (give you an idea of what can be
> done):
> ---
>     _PyCoreConfig config = _PyCoreConfig_INIT;
>     config.user_site_directory = 0;
>     config.site_import = 0;
>     config.use_environment = 0;
>     config.program_name = L"./_freeze_importlib";
>     /* Don't install importlib, since it could execute outdated bytecode.
> */
>     config._install_importlib = 0;
>     config._frozen = 1;
>
>     _PyInitError err = _Py_InitializeFromConfig(&config);
> ---
>
> As Petr wrote below, RHEL 8 has a private /usr/libexec/platform-python
> which is the Python used to run system tools (written in Python). But
> this Python isn't customized. I'm not sure that there is a strong need
> to customize Python default configuration for this interpreter.
>
> Note: Sorry to hijack again this thread with unrelated discussions :-(
>
> Victor
> --
> Night gathers, and now my watch begins. It shall not end until my death.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20190227/9f5066ed/attachment.html>