Securing the Pyton Interpreter?

Mel Wilson mwilson at the-wire.com
Tue Jul 15 17:59:05 CEST 2003


In article <slrnbh7q3f.kiv.usenet at norge.freeshell.org>,
Stephen VanDahm <usenet at fomps.net> wrote:
>I'm looking for a way to install Python on a UNIX machine in a way such
>that any user on the system can use it, but only to execute scripts that
>are located in a certain directory.  I do not have root access on the
>machine that will be running Python, so my options are limited.  I thought
>about hacking the Python interpreter itself so that it will examine the
>argument array and exit with an error if the script to be executed isn't
>in the appropriate directory, but this seems pretty risky.  The module
>'site.py' is imported automatically upon initialization -- I've thought of
>adding the check there instead.  I don't think either of these solutions
>are very elegant.  Is there a better way?

   I would say, write a program that checks the directory,
then invokes python if it likes what it sees.  Make it suid
as the owner of the installed python to keep people from
sneaking around it.  A shell script might be possible, but I
seem to recall there are complications with suid on scripts
.. though I don't recall what they are.

   This won't work if there's then a permission conflict
with the data the programs are supposed to work on.

        Regards.        Mel.




More information about the Python-list mailing list