[Python-Dev] For sandboxing: alternative to crippling file()
Brett Cannon
brett at python.org
Thu Jun 29 21:31:22 CEST 2006
On 6/29/06, A.M. Kuchling <amk at amk.ca> wrote:
>> On Thu, Jun 29, 2006 at 11:48:36AM -0700, Brett Cannon wrote:
> > My worry, as has been from the start, is containing 'file'. The ``del
> > __builtins__`` bug for 'rexec' started me as skittish towards hiding
> stuff
> > from the built-in namespace. And knowing how easy it tends to be to get
> at
> > objects and types in Python in general makes me worry even more about
> hiding
> > objects and types properly from people (within reason, of course; if you
>> Random, only tangentially-related thought: what if each interpreter
> had a blacklist of objects that should never be made available to
> untrusted code? You could then put __builtins__, file, and anything
> else on this list. Then, using some #ifdef'ery in ceval.c, check if
> an object is on this blacklist before pushing it onto the evaluation
> stack; if it's a blacklisted object, replace it with None (or raise an
> exception).
Huh. Interesting idea. I would go with the exception position (pushing
None feels very Lua/JavaScript-like),
This entails a performance hit and makes it impossible to support
> Bastion-like functionality, where untrusted code could call code that
> would be treated as trusted, but it also means that, even if you find
> some type(foo).__dict__['blah'].co_magic incantation that lets you get
> to a dangerous type object or module, it wouldn't matter because the
> dangerous value is silently substituted, and the untrusted code has no
> way of breaking out of this. (Could you fool a C extension into doing
> stuff with a dangerous object? Don't know...)
Yeah, that would definitely help with the issue. And I am not even thinking
of Bastion functionality. If you want something like that, write a delegate
in C.
And this could be extended so that a list of objects that should be banned
could be added to and checked as needed. Performance would drop, but I
don't know by how much.
This thought was sparked by the piece on failure-oblivious computing
> in today's Linux Weekly News about this paper:
> http://www.usenix.org/events/osdi04/tech/rinard.html. The authors
> tried continuing to run after a memory error instead of segfaulting:
> out-of-bounds writes were ignored, and OOB reads returned generated
> values. See the LWN discussion for more (subscribers only).
Thanks for the link, Andrew!
-Brett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.python.org/pipermail/python-dev/attachments/20060629/f4f62fe1/attachment.html
More information about the Python-Dev
mailing list