Security considerations of execfile()
Preston Landers
mithy at my-deja.com
Wed Sep 8 15:55:21 EDT 1999
Hello,
I'm thinking of using the execfile() built-in function in one my
programs (Pagecast) and I'm wondering about some security
considerations.
Basically, the program will execute all files with a certain extension
in a certain directory as Python code. That code will be expected to
essentially perform two operations: instantiate an object with a
minimum, well-defined interface, and add that object to a object
"Register" which is really just a dictionary in the local context keyed
on the object's unique "name".
My question is what kind of security, if any, does execfile() provide
(my guess: none) and should I consider working with the rexec module?
I'm thinking that my security should take on two levels:
1/ File security; don't execute the file if any of these hold true:
a) World-writable
b) is not a regular file or is a link outside of that directory
c) not owned by current user??
2/ Python level security: run in rexec environment.
The problems I see with this are:
1/ File security: does execfile() already provide any of this? Is there
any way to avoid a race condition? How do I avoid something like this:
if os.name == "posix":
DoSecurityChecks()
else:
print "Sorry, no security availible on your OS!"
2/ The code in the files needs to instantiate an object that later must
be 'activated' by a Go() function. When activated, the object will need
access to the Internet through the urllib library. If I instantiate the
objects within a rexec wrapper, when the Go() function is called on them
later, will they still be considered restricted? I'm definetely showing
my ignorance of how rexec works; I've never used it before.
Finally, does anyone have any general suggestions about the kind of
thing I'm trying to do? Am I going about it all wrong?
Pagecast (including a 2.0 alpha version which uses execfile without any
additional security) can be found at
http://askpreston.com/projects/pagecast
thanks in advance,
---Preston
--
|| Preston Landers <mithy at my-deja.com> ||
|| http://askpreston.com ||
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
More information about the Python-list
mailing list