473,704 Members | 2,491 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Embedding a restricted python interpreter

Hi,

I would like to embed a python interpreter within a program, but since that
program would be able to automatically download scripts from the internet,
I'd like to run those in a restricted environment, which basically means
that I want to allow only a specific set of modules to be used by the
scripts, so that it wouldn't be possible for them to remove files from the
hard drive, kill processes or do other nasty stuff.
Is there any way to do that with the standard python interpreter?

Jul 18 '05 #1
13 4020
Rolf Magnus <ra******@t-online.de> writes:
I would like to embed a python interpreter within a program, but since that
program would be able to automatically download scripts from the internet,
I'd like to run those in a restricted environment, which basically means
that I want to allow only a specific set of modules to be used by the
scripts, so that it wouldn't be possible for them to remove files from the
hard drive, kill processes or do other nasty stuff.
Is there any way to do that with the standard python interpreter?


Don't count on it.
Jul 18 '05 #2
Rolf Magnus wrote:
Hi,

I would like to embed a python interpreter within a program, but since that
program would be able to automatically download scripts from the internet,
I'd like to run those in a restricted environment, which basically means
that I want to allow only a specific set of modules to be used by the
scripts, so that it wouldn't be possible for them to remove files from the
hard drive, kill processes or do other nasty stuff.
Is there any way to do that with the standard python interpreter?


I won't really count on that. In my opinions, which may be wrong, Python
is not constructed to work in a sandbox like Java. Java does it by
subjecting all classes that it loads through a security manager. What
you seems to want is a Python to have Java applet-typed of restrictions.

You can try to use 'exec' to run your scripts in a constructed
environment. For example,

global = {}
local = {}

.... your stuffs ....

statement = [] # to hold the script to run

for line in statement:
exec statement in global, local

global and local are the global and local namespaces respectively.
Although it had been explained to me before but I can't recall the
details of how it works. In gist, you may be able to craft a global and
local environment for your script to run in.

I do not know if it is possible to disable or override 'import'......

maurice
Jul 18 '05 #3
On Wed, 2005-01-05 at 13:43, Maurice LING wrote:
Rolf Magnus wrote:
Hi,

I would like to embed a python interpreter within a program, but since that
program would be able to automatically download scripts from the internet,
I'd like to run those in a restricted environment, which basically means
that I want to allow only a specific set of modules to be used by the
scripts, so that it wouldn't be possible for them to remove files from the
hard drive, kill processes or do other nasty stuff.
Is there any way to do that with the standard python interpreter?

I won't really count on that. In my opinions, which may be wrong, Python
is not constructed to work in a sandbox like Java.


That is my understanding. In fact, I'd say with Python it's nearly
impossible given how dynamic everything is and the number of tricks that
can be used to obfuscate what you're doing. Think of the fun that can be
had with str.encode / str.decode and getattr/hasattr .

I looked into this, and my conclusion ended up being "Well, I'm using
Python because I want it's power and flexibilty. If I want a secure
scripting environment, I should use something like Lua or Qt Script for
Applications instead."

AFAIK that's why the rexec() builtin is disabled - it's just not
practical to make a restricted Python execution environment.
You can try to use 'exec' to run your scripts in a constructed
environment. For example,

global = {}
local = {}

... your stuffs ....

statement = [] # to hold the script to run

for line in statement:
exec statement in global, local

global and local are the global and local namespaces respectively.
Although it had been explained to me before but I can't recall the
details of how it works. In gist, you may be able to craft a global and
local environment for your script to run in.
I do not know if it is possible to disable or override 'import'......


You can do a fair bit to it by wrapping/replacing __builtin__.__i mport__
.. Preventing people from getting around what you've done, though... not
sure.

--
Craig Ringer

Jul 18 '05 #4
Maurice LING <ma*********@ac m.org> writes:
I won't really count on that. In my opinions, which may be wrong,
Python is not constructed to work in a sandbox like Java. Java does it
by subjecting all classes that it loads through a security
manager. What you seems to want is a Python to have Java applet-typed
of restrictions.


Java has also been subject to years and years of attacks against the
sandbox, followed by patches, followed by more attacks and more
patches, so at this point it's not so easy to get past the security
any more. But in the beginning it was full of bugs, and it may still
have bugs. Python's rexec never attracted the attention of serious
attackers.

If you really have to do restricted execution, your best bet is to put
the sandbox in a separate process chrooted to where it can't mess with
the file system, and have it communicate with your application through
a socket. I think there may be a way now to trap any system calls
that it attempts, too. Of course none of that stops resource
exhaustion attacks, etc.

I don't have direct knowledge but it seems to me that there's
potential for the situation to improve under PyPy, whose interpreter
will have an extra layer where various bad operations can be trapped,
if my impression is correct. So the long term prospects for secure
rexec may be better than the immediate ones.
Jul 18 '05 #5
Fredrick Lundh (at www.effbot.org ) was working on a 'cut down python'
that only implements the bits of python he likes !! It would be great
if the core of that interpreter could be used as a 'restricted
interpreter'.

If you could externally disable os, sys, os.path modules etc and limit
the set of modules, then you could have a useful restricted
environment. It would need a special interpreter though - so NO is the
short answer.
Regards,

Fuzzy
http://www,voidspace.org.uk/python/index.shtml

Jul 18 '05 #6

Check out
http://mail.python.org/pipermail/pyt...ry/031851.html
for a historical thread on rexec.py's vulnerabilities .

Right now, the answer for people who want restricted execution is
usually "wait for pypy", due to the number of tricks that can subvert
the rexec model. There are probably some one-off, application-specific
things you can do that might meet your requirements, like special
import hooks, sys.settrace() callbacks that inspect each running frame
(and are slow), and namespace restrictions on stuff passed to exec or
eval. If you really need sandboxing, your probably out of luck.
Setting up a usermode linux instance or chrooted jail is probably the
best bet today.

/arg
On Jan 4, 2005, at 6:38 PM, Rolf Magnus wrote:
Hi,

I would like to embed a python interpreter within a program, but since
that
program would be able to automatically download scripts from the
internet,
I'd like to run those in a restricted environment, which basically
means
that I want to allow only a specific set of modules to be used by the
scripts, so that it wouldn't be possible for them to remove files from
the
hard drive, kill processes or do other nasty stuff.
Is there any way to do that with the standard python interpreter?

--
http://mail.python.org/mailman/listinfo/python-list


Jul 18 '05 #7
Craig Ringer schrieb:
That is my understanding. In fact, I'd say with Python it's nearly
impossible given how dynamic everything is and the number of tricks that
can be used to obfuscate what you're doing. Think of the fun that can be
had with str.encode / str.decode and getattr/hasattr .
It would certainly be difficult to track all harmful code constructs.
But AFAIK the idea of a sandbox is not to look at the offending code
but to protect the offended objects: files, databases, URLs, sockets
etc. and to raise a security exception when some code tries to offend
them. Jython is as dynamic as C-Python and yet it generates class
files behaving well under the JVM's security regime.

I looked into this, and my conclusion ended up being "Well, I'm using
Python because I want it's power and flexibilty. If I want a secure
scripting environment, I should use something like Lua or Qt Script for
Applications instead."


It would be good for Python if it would offer a secure mode. Some
time ago I asked my hosting provider whether I could use mod_python
with apache to run Python scripts in the same way as PHP scripts.
He denied that pointing to Python security issues and to PHP safe.
mode. Python IS powerful but there are many areas where it is of
vital interest who is allowed to use its power and what can be done
with it. I think it would be a pity to exclude Python from these
areas where a lot of programming/computing is done.

Python is a very well designed language but progress is made by
criticism not by satisfaction ;)

--
-------------------------------------------------------------------
Peter Maas, M+R Infosysteme, D-52070 Aachen, Tel +49-241-93878-0
E-mail 'cGV0ZXIubWFhc0 BtcGx1c3IuZGU=\ n'.decode('base 64')
-------------------------------------------------------------------
Jul 18 '05 #8
Rolf Magnus wrote:
I would like to embed a python interpreter within a program, but since
that program would be able to automatically download scripts from the
internet, I'd like to run those in a restricted environment, which
basically means that I want to allow only a specific set of modules to be
used by the scripts, so that it wouldn't be possible for them to remove
files from the hard drive, kill processes or do other nasty stuff.
Is there any way to do that with the standard python interpreter?


Current advice seems to be essentially "no".

I've been pondering adding limited scripting to some personal apps I've
written and due to this toyed around with the idea of simple but parser
that only used ":" and whitespaces for indicating blocks with the aim of
being a generic/"universal" (*) language parser that could be used for many
little "languages" . (ie no keywords, just "pure" structure)

(*) By "universal" I mean something that allows a variety of different
styles of syntax to be used, whilst technically still sharing the
same underlying syntax. (Since that's a rather bogus statement,
that's why it has quotes :)

In the end I sat down and wrote such a beast largely as a fun exercise. (It
uses PLY and is an SLR grammar) It *doesn't* have any backend so you get to
decided how restricted it can be, but, for example, the following code
would parse happily:
(It's not quite python, but it's close syntactically)

class Grammar(object) :
from Lexer import Tokens as tokens
precedence = ( ( "left", "DOT"))
def p_error(self,p) :
print "Syntax error at", p
end
end

This parses as follows:

A class function is provided with 3 arguments:
* Grammar(object)
* A code block
* A lexical token "end" (Which could be anything)

The code block then contains 3 statements
* The first is a function call, to a function called "from"
* The second is an assignment statement
* The third is a function call to the function "def" (which in turn takes
3 arguments - a signature, a codeblock and a trailing token (the
trailing token allows "else" clauses and try/except style blocks)

etc

However it will also parse happily:

EXPORT PROC compare(field:: PTR TO person,type=>NI L) OF person:
DEF result=FALSE
IF type:
SELECT type:
CASE NAME:
result:=compare _name(self.name ,field)
CASE PHONE:
result:=compare _telephone(self .telephone,fiel d)
CASE ADDRESS:
result:=compare _address(self.a ddress,field)
ENDCASES
ENDSELECT
ELSE:
result:=compare _name(self.name ,field,ORDER) # if type = NIL, ordering
ENDIF
ENDPROC result

And also programs of the form:

shape square:
pen down
repeat 4:
forward 10
rotate 90
end
pen up
end

repeat (360/5):
square()
rotate 5
end

and so on.

If you're prepared to write backends to traverse an AST then you might find
it useful. (I also wrote the parser as an exercise in trying to generate a
parser in a test first manner)

If you're curious as to the sorts of languages it could parse the test cases
are here:
* http://thwackety.com/viewcvs/viewcvs...tch/SWP/progs/

Some rather random examples are:
29, A copy of the parser file at that point in time, but rewritten in a
python-esque language parsable by the parser
33, A simple program in a logo type language
34, A simple program based on declarative l-systems for modelling
biological growth systems.
35, A simple SML-like language file implementing a stack
37, An implementation of a "Person" object module in an Amiga-E like
language.

(NB, here "language" means whatever AST a given backend might understand,
since they're all technically the same language)

http://thwackety.com/viewcvs/viewcvs...README?rev=1.1

Describes the grammar, etc. (31 explicit rules, or alternatively 13
aggregate rules)

If you think it might be useful to you, feel free to do an anonymous
checkout:

cvs -d :pserver:an**** ***@cerenity.or g:2401/home/cvs/cvsroot login
cvs -d :pserver:an**** ***@cerenity.or g:2401/home/cvs/cvsroot co Scratch/SWP/

Since there is *no* backend at all at present this would be a bit of work.
(I've been tempted to investigate putting a lisp backend on the back, but
not found the time to do so. If I did though this would be a brackets free
lisp :) You can fine PLY here: http://systems.cs.uchicago.edu/ply/ .

Best Regards,
Michael.

Jul 18 '05 #9
Rolf Magnus wrote:
Hi,

I would like to embed a python interpreter within a program, but since that
program would be able to automatically download scripts from the internet,
I'd like to run those in a restricted environment, which basically means
that I want to allow only a specific set of modules to be used by the
scripts, so that it wouldn't be possible for them to remove files from the
hard drive, kill processes or do other nasty stuff.
Is there any way to do that with the standard python interpreter?


Hi, there is a page on this topic here:
http://www.python.org/moin/SandboxedPython

The short answer is that it is not possible to do this with the CPython,
but you can run sandboxed code on other virtual machines, such as Java's
JVM with Jython, or .NET/Mono's CLR with Boo or IronPython.

In the future it may also be possible to do this with PyPy or Parrot.
Jul 18 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
2510
by: jordi | last post by:
Hi, I'm starting to use Python embedded in a C program. I'm using Python to execute several scripts using as a variables information retrieved for several multithread "agents" written in C. The method is: 1- Create a thread for each agent (I use a pool thread, every agent run in a different thread) 2- Precompile a different script for each agent. 3- Make the agent retrieve its data
0
1996
by: vincent Salaun | last post by:
hi all, here's my problem : I've embedded a python interpreter in our java application (based on the NetBeans palteforrm) using the Jython API : http://www.jython.org/docs/javadoc/index.html So, i've used the PythonInterpreter class to instanciate an interpreter and to integrate it but the its environnement doesn't seem to be the
0
1846
by: Atul Kshirsagar | last post by:
I am embedding python in my C++ application. I am using Python *2.3.2* with a C++ extention DLL in multi-threaded environment. I am using SWIG-1.3.19 to generate C++ to Python interface. Now to explain it in details, 1. Python initialization and finalization is done in the *main* thread. 2. For each new thread I create a separate sub-interpreter . 3. Using PyRun_String("import myModule"...) before execution of python
23
2968
by: Robey Holderith | last post by:
Anyone know a good way to embed python within python? Now before you tell me that's silly, let me explain what I'd like to do. I'd like to allow user-defined scriptable objects. I'd like to give them access to modify pieces of my classes. I'd like to disallow access to pretty much the rest of the modules.
1
537
by: Martin | last post by:
Greetings, I am new to python and wish to embed python in an 3D graphics application to provide application automation. The high level goal is to be able to drive my app from a script for batch job like behavior rather than via the GUI (ie. I would like to run a script and see those changes reflected in the GUI as if the user had clicked buttons, etc.) The application is written in C++ and uses QT for the GUI. I have read the python...
1
3177
by: Craig Ringer | last post by:
Hi folks I'm a bit of a newbie here, though I've tried to appropriately research this issue before posting. I've found a lot of questions, a few answers that don't really answer quite what I'm looking for, but nothing that really solves or explains all this. I'll admit to being stumped, hence my question here. I'm also trying to make this post as clear and detailed as possible. Unfortunately, that means it's come out like a book. I...
4
1681
by: adsheehan | last post by:
Hi, I am embedding Python into a multi-threaded C++ application running on Solaris and need urgent clarification on the embedding architecture and its correct usage (as I am experience weird behaviors). Can anyone clarify:
8
1824
by: Thomas Bartkus | last post by:
Name: lib64python2.4-devel Summary: The libraries and header files needed for Python development Description: The Python programming language's interpreter can be extended with dynamically loaded extensions and can be embedded in other programs. This package contains the header files and libraries needed to do these types of tasks. ------------------------------------------------------
3
2683
by: dmoore | last post by:
Hi Folks: I have a question about the use of static members in Python/C extensions. Take the simple example from the "Extending and Embedding the Python Interpreter" docs: A simple module method: static PyObject * spam_system(PyObject *self, PyObject *args)
0
9135
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
9029
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
8978
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
6605
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5932
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4702
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
3136
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2485
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
2081
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.