Creating a capabilities-based restricted execution system

Martin v. Loewis martin at v.loewis.de
Sat Jan 3 13:09:48 CET 2004


Sean R. Lynch wrote:
> If you know of a location where the known shortcomings of rexec are 
> documented, please let me know. So far I've only seen a couple examples 
> and a lot of people saying "it's not secure so let's disable it."

The biggest problem is that new-style classes are both available through
the type() builtin, and callable to create new instances.

For example, if you have managed to open a file object f, then

type(f)("/etc/passwd").read()

lets you access a different file, bypassing all machinery that may
have been designed to prevent that from happening.

Of course, for the specific case of file objects, there is additional
machinery preventing that from happening, but in the general case,
there might be more problems in that area. For example, 
object.__subclasses__() gives you access to quite a lot of stuff.

Regards,
Martin




More information about the Python-list mailing list