[Python-ideas] CLI option for isolated mode

Barry Warsaw barry at python.org
Fri Nov 9 02:16:15 CET 2012

On Nov 08, 2012, at 11:13 PM, Christian Heimes wrote:

>I like to propose a new option for the Python interpreter:
>  python -I
>It shall start the interpreter in isolated mode which ignores any
>environment variables set by the user and any files installed by the
>user. The mode segregate a Python program from anything an unpriviliged
>user is able to modify and uses only files that are installed by a
>system adminstrator.
>The isolated mode implies -E (ignore all PYTHON* environment vars) and
>-s (don't add user site directory). It also refrains from the inclusion
>of '' or getcwd() to sys.path. TKinter doesn't load and execute Python
>scripts from the user's home directory. Other parts of the stdlib should
>be checked, too.
>The option is intended for OS and application scripts that doesn't want
>to become affected by user installed files or files in the current
>working path of a user.
>The idea is motivated by a couple of bug reports, for example:
>https://bugs.launchpad.net/bugs/938869  lsb_release crashed with SIGABRT
>in Py_FatalError()
>http://bugs.python.org/issue16202  sys.path[0] security issues
>http://bugs.python.org/issue16248  Security bug in tkinter allows for
>untrusted, arbitrary code execution.

As someone who worked on the lsb_release problem, I'm generally supportive of
this proposal.  Here's a link to the thread on the debian-python mailing list
where I suggested "system" scripts always use -Es in the shebang line:


The responses were cautious but mostly supportive.  One poster said:

"If I set PYTHONWARNINGS, I want it to affect all Python scripts."

I wonder also if we might want some other set of defaults, like -B enabled.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20121108/f89a89d5/attachment.pgp>

More information about the Python-ideas mailing list