Restricted Execution on the cheap

Nick Coghlan ncoghlan at email.com
Tue Nov 30 13:58:16 CET 2004


David Pokorny wrote:
> Hi,
> 
> Suppose that one wants to set up a machine to accept python code from,
> say, arbitrary email, and run it safely. Would the following
> (somewhat draconian) precautions be sufficient?

In short, no. Python's introspection capabilities kill you. There are too many 
ways to spell things to be certain all the loopholes are closed.

For instance, take a look at the result of:

   type(sys.stdout)

Sure, you can add 'type' to the banned list, but eventually the banned list is 
so long, writing a useful program is damn near impossible. 'chr' and '__dict__', 
for instance, would almost certainly have to be on the banned list, otherwise:

   key1 = ''.join([chr(x) for x in [95, 95, 98, 117, 105, 108, 116, 105, 110, 
95, 95]])
   key2 = ''.join([chr(x) for x in [102, 105, 108, 101]])
   sys.modules[key1].__dict__[key2]

It isn't accidental that Bastion and rexec got deprecated - the developers just 
can't guarantee that the modules are actually providing adequate protection.

A chroot() jail, setuid() to some permission-less sandbox user and your 
monitoring daemon are likely to get you a lot further.

Regards,
Nick.

P.S. Both examples above are bizarre ways of spelling 'file', for anyone who 
can't be bothered figuring it out.



More information about the Python-list mailing list