securing a python execution environment...

Laszlo Nagy gandalf at shopzeus.com
Mon Nov 19 13:19:48 CET 2007


Chris Withers wrote:
> Hi All,
>
> I'm trying to build a secure execution environment for bits of python 
> for two reasons:
>
> - to allow users of the system to write scripts in python without 
> circumventing the application's security model
>
> - to allow the system to have an environment where security is handled 
> without having to do explicit checks in every piece of example code.
>
> This second point is better demonstrated by an example:
>
> Bad:
>
>  >>> from security import check,AccessDenied
>  >>> if check(someobj,'someattr'):
>  >>>   print someattr
>  >>> else:
>  >>>   raise AccessDenied("can't access 'someattr')
> Traceback (most recent call last):
>    File "<stdin>", line ?, in ?
> AccessDenied: can't access 'someattr'
>
> Good:
>
>  >>> someobj.someattr
> Traceback (most recent call last):
>    File "<stdin>", line ?, in ?
> AccessDenied: can't access 'someattr'
>
> Now, I think I can get a lot of this from Zope 3's security proxy 
> objects, however I need to find a way to limit the importing of modules 
> to, for example, prevent people importing the method that unwraps the 
> proxy objects ;-)
>
> Have other people bumped into this problem?
> What solutions do people recommend?
>   
Once upon a time, there has been a module called "bastillon" (am I 
right?) and "rexec" (restricted execution environment) but they were not 
really secure. It was a long time ago. Python is very flexible, and 
interpreted and it is hard to prevent the users from importing modules. 
They can do nasty things. For example, open a file and eval() it etc. It 
is almost impossible to setup an environment in pure Python, that 
restricts them to do certain things. Python is too flexible for that, 
and "bad" users are too ingenious.

I would say, the only reliable solution is to use a virtual machine. For 
example, use chroot, jail (under FreeBSD) or wmware, and install only 
the allowed modules on that virtual computer. Install firewall rules to 
prevent the user from connecting to any host, use a write-protected 
disk, have them use nobody:nogroup etc. And finally, open one port where 
they can connect to your protected internal server that will check 
permissions and do the actual job for them. In other words, let the 
operating system restrict the resources. Well, this is what I would do, 
maybe I'm wrong. I have never had to do this.

Best,

   Laszlo




More information about the Python-list mailing list