Embedding a restricted python interpreter

[Paul Rubin]

Maurice LING <mauriceling at acm.org> writes:
> I won't really count on that. In my opinions, which may be wrong,
> Python is not constructed to work in a sandbox like Java. Java does it
> by subjecting all classes that it loads through a security
> manager. What you seems to want is a Python to have Java applet-typed
> of restrictions.

Java has also been subject to years and years of attacks against the
sandbox, followed by patches, followed by more attacks and more
patches, so at this point it's not so easy to get past the security
any more.  But in the beginning it was full of bugs, and it may still
have bugs.  Python's rexec never attracted the attention of serious
attackers.

If you really have to do restricted execution, your best bet is to put
the sandbox in a separate process chrooted to where it can't mess with
the file system, and have it communicate with your application through
a socket.  I think there may be a way now to trap any system calls
that it attempts, too.  Of course none of that stops resource
exhaustion attacks, etc.

I don't have direct knowledge but it seems to me that there's
potential for the situation to improve under PyPy, whose interpreter
will have an extra layer where various bad operations can be trapped,
if my impression is correct.  So the long term prospects for secure
rexec may be better than the immediate ones.