Now that rexec is gone...

[Alex Martelli]

Rainer Deyke wrote:

> Now that rexec is gone, is there any code or information available on
> executing Python in a restricted environment?  And before I roll my own
> solution, exactly where the security holes in rexec anyway?
> 
> (I know one way of getting a restricted environment: butcher the Python
> interpreter by removing everything that's even remotely dangerous, use
> Python only for restricted execution, and do everything else in a C++
> program that embeds the butchered Python interpreter.  I'd like to avoid
> doing that, for obvious reasons.)

Actually, such a "butchered" Python interpreter might be a fun and
useful project indeed.  You would have to add programmable limits on
resource consumptions -- e.g., memory allocatable by the script[s],
time (CPU or maybe elapsed) usable thereby, etc.  And you should rename
everything, say to use Qy instead of Py, so that a normal and a
butchered interpreter could easily be embedded in the same program.

Once the hard work of "butchering" is done, you might in fact quite
easily expose "the butchered interpreter" via an extension module for
Python proper -- no need to do "everything in C++", you'd just have two
separate Pythons, a full-function one and a seriously-hobbled one.

Not *QUITE* as good as running untrusted code in a separate "jail"'d
process, perhaps, but probably the closest you can come to that on
such environments as Windows.  Note that the need to add resource
limitations is crucial (and was never addressed by rexec, making it
pretty useless to ward against denial-of-service kinds of attacks!).


Alex