I've been messing around with trying to get a small sandbox like
environment where i could execute python code in a "safe" way.
Basically what the old restricted execution module attempted to do.
I've written a small amount of code to get custom interpreter running,
but i'm not really sure if its safe.
The way i'm controlling functionality is with some games and exec, so
if 'code' was the text code you wanted to execute i run:
exec code in {'__builtins__':None"}
obviously this doesn't give you much to play with, but it does remove
file access and importing as far as i can tell. Can anyone think of a
hack around this? I assume if it was this easy it would be a module
already but i figured i would ask.
Graham.
7  1686 
Graham wrote: The way i'm controlling functionality is with some games and exec, so
if 'code' was the text code you wanted to execute i run:
exec code in {'__builtins__':None"}
obviously this doesn't give you much to play with, but it does remove
file access and importing as far as i can tell. Can anyone think of a
hack around this? I assume if it was this easy it would be a module
already but i figured i would ask.
Search the newsgroups, but one of the major problems is that all
subclasses of object are available through object.__subclasses__(): (1).__class__.__bases__[0].__subclasses__()
[<type 'type'>, <type 'weakref'>, <type 'int'>, <type 'basestring'>,
....
<type 'dictproxy'>, <type 'code'>, <type 'frame'>]
Note that this also includes any classes you define that are subclasses
of object:
class C(object):
.... dont_change_this = 42
.... exec '''\
.... subclasses = (1).__class__.__bases__[0].__subclasses__()
.... C, = [cls for cls in subclasses if cls.__name__ == 'C']
.... C.dont_change_this = 'bwahahaha'
.... ''' in {'__builtins__':None} C.dont_change_this
'bwahahaha'
So if you're really concerned about your objects being manipulated with
users, the ``exec code in {'__builtins__':None}`` technique is not going
to help you out. However, the code will be executed in restricted mode,
so things like the file constructor won't work. Not sure if that's
enough for you...
STeVe
Graham wrote: I've been messing around with trying to get a small sandbox like
environment where i could execute python code in a "safe" way.
Basically what the old restricted execution module attempted to do.
I've written a small amount of code to get custom interpreter running,
but i'm not really sure if its safe.
The way i'm controlling functionality is with some games and exec, so
if 'code' was the text code you wanted to execute i run:
exec code in {'__builtins__':None"}
obviously this doesn't give you much to play with, but it does remove
file access and importing as far as i can tell. Can anyone think of a
hack around this? I assume if it was this easy it would be a module
already but i figured i would ask.
You need to remove reload, replace __import__, disable __subclasses__
(not convenient nor portable because you need to do it in the source.
Shouldn't it be restricted in restricted mode?). That removes most
glaring security holes, I think. If you need to touch any of the
attributes of the objects in the sandbox, you might want to remove
properties. I wouldn't recommend exposing any objects outside of the
sandbox to the sandbox, either.
Zope also has some cool viral proxy thing that I don't understand that
you might want to look into.
"Graham" <gr***********@gmail.com> writes: I've been messing around with trying to get a small sandbox like
environment where i could execute python code in a "safe" way.
Basically what the old restricted execution module attempted to do.
The old rexec module was removed for the precise reason that it wasn't
safe and there is no simple way to fix it.
Graham <gr***********@gmail.com> wrote: I've been messing around with trying to get a small sandbox like
environment where i could execute python code in a "safe" way.
Basically what the old restricted execution module attempted to do.
I've written a small amount of code to get custom interpreter running,
but i'm not really sure if its safe.
The way i'm controlling functionality is with some games and exec, so
if 'code' was the text code you wanted to execute i run:
exec code in {'__builtins__':None"}
obviously this doesn't give you much to play with, but it does remove
file access and importing as far as i can tell. Can anyone think of a
hack around this? I assume if it was this easy it would be a module
already but i figured i would ask.
I suggest compiling the code and examining the names used in the code
object (co_names attribute of the code object which compile returns) --
refuse to execute the code if it mentions, defines or uses any special
name (starting and ending with two underscores). That, plus removing
almost all builtins as you do here, should be a good start.
Alex
Jean-Paul Calderone wrote: On Thu, 16 Feb 2006 07:59:03 -0800, Alex Martelli <al*****@yahoo.com> wrote:Graham <gr***********@gmail.com> wrote:
I've been messing around with trying to get a small sandbox like
environment where i could execute python code in a "safe" way.
Basically what the old restricted execution module attempted to do.
I've written a small amount of code to get custom interpreter running,
but i'm not really sure if its safe.
The way i'm controlling functionality is with some games and exec, so
if 'code' was the text code you wanted to execute i run:
exec code in {'__builtins__':None"}
obviously this doesn't give you much to play with, but it does remove
file access and importing as far as i can tell. Can anyone think of a
hack around this? I assume if it was this easy it would be a module
already but i figured i would ask.
I suggest compiling the code and examining the names used in the code
object (co_names attribute of the code object which compile returns) --
refuse to execute the code if it mentions, defines or uses any special
name (starting and ending with two underscores). That, plus removing
almost all builtins as you do here, should be a good start.
A good start, perhaps, but still in need of a good finish.
"""
exec 'print ' + ''.join(map(chr, [
95, 95, 98, 117, 105, 108, 116, 105, 110, 115, 95, 95]))
"""
You can come up with a long list of restrictions to impose, and maybe that will be good enough. But making it /perfect/ is a Herculean task, as is maintaining it as new Python releases are made, and auditing it every time you add a new piece of code to your system.
What about what's in zope, : http://svn.zope.org/Zope3/trunk/src/....txt?view=auto
It looks like untrustedinterpreter has at least two major obstacles to
executing reasonably complex code:
augmented assignment is not supported:
a.b = 'foo'
is translated into
__getattr__(a,b) = 'foo'
Second, this is mysterious, but nevertheless...
"""This form of restricted Python assumes that security proxies will be
used to protect assets. Given this, the only thing that actually
needs to be done differently by the generated code is to:
<some other items>
- Prevent try/except and raise statements. This is mainly because they
don't work properly in the presense of security proxies. Try/except
statements will be made to work in the future.
"""
--Zope-3.2.0/Dependencies/zope.security-Zope-3.2.0/zope.security/untrustedpython/rcompile.txt
Is anyone aware of a more functional but still untrusted python? One
could remove the ability to access pipes & files from regular python,
build it, and launch the resulting python-slave from a (normal python)
master process... However I'm pretty confident that if I did this
myself, I'd leave more than a few glaring security holes for an
ambitious 9-year-old.
Any help appreciated!
David
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: satish |
last post by:
Hello all,
I have a shared object executable viz. *cable* which I execute as follows :
$ ansyscust71 -custom cable -p ANSYSRF
**ansyscust71 is a shell script and is a part of a software...
|
by: mike420 |
last post by:
I think everyone who used Python will agree that its syntax is
the best thing going for it. It is very readable and easy
for everyone to learn. But, Python does not a have very good
macro...
|
by: Sridhar R |
last post by:
I like to execute programs from python.
... not by using os.system .. bcoz ..
1. the process could easily eat up the CPU
2. the process could use signal system call to even kill all other...
|
by: Michael Pronath |
last post by:
Hi,
can I make sure that Python uses only async-signal safe glibc
functions in signal handlers?
For example, you must not call malloc or free in signal handlers, see...
|
by: Jody Gelowitz |
last post by:
I am trying to find the definition of "Safe Printing" and cannot find out
exactly what this entitles. The reason is that I am trying to print
contents from a single textbox to no avail using the...
|
by: Andy Chang |
last post by:
Hi,
If I have this function
void DoSomething(int& index)
{
::Sleep(10000);
DoSomethingWith(index);
}
Is the variable index thread safe? Meaning that if I call this from two
|
by: Babar K. Zafar |
last post by:
Hi guys!
I know this subject has been beaten to death and I am not going to
whine about lacking features for proper restricted execution in the
Python runtime. It's the OS job, I get it.
...
|
by: James Mills |
last post by:
On Thu, Oct 9, 2008 at 2:26 PM, Warren DeLano <warren@delsci.comwrote:
Yes it does :)
I second this.
It's far better to use Data Structures
rather than Programming Constructs
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |
