[prev in list] [next in list] [prev in thread] [next in thread]
List: python-list
Subject: Re: Embedding a restricted python interpreter
From: Andy Gross <andy () andygross ! org>
Date: 2005-01-05 21:10:02
Message-ID: 2A8E5F75-5F5E-11D9-923E-000A95CED3AC () andygross ! org
[Download RAW message or body]
Check out
http://mail.python.org/pipermail/python-dev/2003-January/031851.html
for a historical thread on rexec.py's vulnerabilities.
Right now, the answer for people who want restricted execution is
usually "wait for pypy", due to the number of tricks that can subvert
the rexec model. There are probably some one-off, application-specific
things you can do that might meet your requirements, like special
import hooks, sys.settrace() callbacks that inspect each running frame
(and are slow), and namespace restrictions on stuff passed to exec or
eval. If you really need sandboxing, your probably out of luck.
Setting up a usermode linux instance or chrooted jail is probably the
best bet today.
/arg
On Jan 4, 2005, at 6:38 PM, Rolf Magnus wrote:
> Hi,
>
> I would like to embed a python interpreter within a program, but since
> that
> program would be able to automatically download scripts from the
> internet,
> I'd like to run those in a restricted environment, which basically
> means
> that I want to allow only a specific set of modules to be used by the
> scripts, so that it wouldn't be possible for them to remove files from
> the
> hard drive, kill processes or do other nasty stuff.
> Is there any way to do that with the standard python interpreter?
>
> --
> http://mail.python.org/mailman/listinfo/python-list
--
http://mail.python.org/mailman/listinfo/python-list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic