[summerofcode] rexec project

[Brett C.]

Jonathan Hudson wrote:
> I've been playing around with an idea to make a secure rexec,
> and I think I would like to do that for the summer of code project.
> Essentially, all objects are wrapped by a container restriction object.
> When a module gets imported, any objects that are allowed to be
> accessed would have to be specified outside of the restricted execution
> code.
> 
> The restricted object would go something like this:
> 
> # restricted object
> class RObject:
>    def __call__(self ....
>        # check if function call is ok  and call it if ok
> 
>    def __getattr__(self ....
>        # check if ok to read attribute and return it if ok
> 
>    ....
> 
> RObject would not store have any data members itself.
> Instead it would access a global dictionary that isn't
> accessable to the restriction execution code.
> I'm working on some demo code to see if the idea
> might work. Does this sound viable or I am missing something
> important? I've debated myself on how to write up the proposal.
> I just looked at Zope today and decided if my idea doesn't work,
> I could try using their method.
> 

Well, Zope uses proxies so the idea has been done and thus is viable.


The real trick with this will be to prevent users from stepping around your
protections.  What is preventing me from introspectively looking in your
__call__() method to see what you are going to call, taking that method, and
then replacing the bode in __call__() with the method you are protecting?

And if you make specification of what modules can be imported you will need to
make it fool-proof and simple.

-Brett