[Tutor] eval and exec

Marilyn Davis marilyn at deliberate.com
Sun Dec 5 19:06:41 CET 2004 

On Sat, 4 Dec 2004, Chad Crabtree wrote:

> Marilyn Davis wrote:
> 
> >Thank you.  You guys are great.
> >
> >I was trying to eval("import %s" % something).  
> >
> >exec("import %s" % something) works just fine and now I understand
> why.
> >
> >But, why is this so extremely dangerous?
> >
> >Marilyn
> >  
> >
> Mainly it's only extremely dangerous if it's going to be attacked at 
> all.  What I mean is it will run any code that it imports this way,
> even 
> untrusted code(possibly).  Mostly I think that it's difficult to
> debug, 
> however if it works you should use it.  It seems that many people do 
> this at one point or another, and considered I guess inelegent by
> some. 
> If security is an issue then this is a very big no no according to
> what 
> I've  heard.

And Alan said:

> But much better to use the __import__() function for doing that if
> possible... Or simply importing all the modules you might need at the
> beginning, its not a big overhead...
> 
> Alan G.

There's something about this that I'm not getting.

Is it more dangerous than having the python interpreter around?

Users will have access to our machine via the web and via email.  We
want to be safe against attack.

As I understand it, Apache has modpython, so it runs all the python
code that happens, no matter how many users, with only one copy of the
interpreter in memory.  It's sort of a big exec-machine, isn't it?

I want to do the same trick for my Mail Transfer Agent, exim.  Exim
has a new feature where you can configure it to talk to an AF_UNIX
socket to get any info it needs.  An AF_UNIX socket is file-based and
is not open for outside machines to connect to. So I made a little
python program with a socket and threads so that exim can call the
various python programs that I've written for sorting out mail.

I don't want to introduce insecurity.  But also I want to really
understand what the problem is -- especially because I teach python.

And I can't see the security problem, unless there's a security
problem already, like if I allowed incoming email to dictate the
parameters that I send through the socket.  The email provides data
for argv[1:] but argv[0] is hard-coded.

And I don't see how web traffic can get there at all.

If we had real users with login rights, then they could get to the
interpreter and wouldn't need my little daemon to wreck havoc -- if I
had my persmissions wrong.

So what am I missing?

Thank you for your help.

Marilyn

More information about the Tutor mailing list