I noticed that this issue has been discussed in this newsgroup
periodically over the years and I seem to understand that -
comprehensive- safe/restricted execution of untrusted code in python
is currently quite hard to achieve.
What if the safety requirements are a little relaxed though? All I'd
want to prevent is for the code opening/damaging files, formatting
drives or similarly catastrophic exploits. I'm not particularly
concerned if the application freeze or crashes. Nor if the
application's objects are inspected and exploited. All I want is to
make sure that if somebody uses my application plus a third party
plugin for it, the worst that can happen is that they can't use my
application with that plugin.
Is that feasible?
Thanks for your help!
Manu
9  1411 
On Oct 30, 6:35*am, "Emanuele D'Arrigo" <man...@gmail.comwrote:
I noticed that this issue has been discussed in this newsgroup
periodically over the years and I seem to understand that -
comprehensive- safe/restricted execution of untrusted code in python
is currently quite hard to achieve.
What if the safety requirements are a little relaxed though? All I'd
want to prevent is for the code opening/damaging files, formatting
drives or similarly catastrophic exploits. I'm not particularly
concerned if the application freeze or crashes. Nor if the
application's objects are inspected and exploited. All I want is to
make sure that if somebody uses my application plus a third party
plugin for it, the worst that can happen is that they can't use my
application with that plugin.
Is that feasible?
Thanks for your help!
Manu
Hi. One opinion is that you could do it with a custom Python
installation, removing or restricting the import statement, removing
or restricting the os module, the file type, etc. Here is some
problematic code:
>>cust= (1).__class__.__bases__[0].__subclasses__()
[ x for x in cust if x.__name__== 'file' ]
[<type 'file'>]
The foreign code can get to the 'file' type. If you don't have it,
that's not a problem.
Otherwise, you might be able to remove access to it by modifying
however it is the 'cust' list is obtained. Perhaps you can use the
technique that's used to change the value of integers. Keep us
posted. Does this give you any ideas?
On Oct 30, 3:50*pm, Aaron Brady <castiro...@gmail.comwrote:
On Oct 30, 6:35*am, "Emanuele D'Arrigo" <man...@gmail.comwrote:
I noticed that this issue has been discussed in this newsgroup
periodically over the years and I seem to understand that -
comprehensive- safe/restricted execution of untrusted code in python
is currently quite hard to achieve.
What if the safety requirements are a little relaxed though? All I'd
want to prevent is for the code opening/damaging files, formatting
drives or similarly catastrophic exploits. I'm not particularly
concerned if the application freeze or crashes. Nor if the
application's objects are inspected and exploited. All I want is to
make sure that if somebody uses my application plus a third party
plugin for it, the worst that can happen is that they can't use my
application with that plugin.
Is that feasible?
Thanks for your help!
Manu
Hi. *One opinion is that you could do it with a custom Python
installation, removing or restricting the import statement, removing
or restricting the os module, the file type, etc. *Here is some
problematic code:
>cust= (1).__class__.__bases__[0].__subclasses__()
[ x for x in cust if x.__name__== 'file' ]
[<type 'file'>]
The foreign code can get to the 'file' type. *If you don't have it,
that's not a problem.
Otherwise, you might be able to remove access to it by modifying
however it is the 'cust' list is obtained. *Perhaps you can use the
technique that's used to change the value of integers. *Keep us
posted. *Does this give you any ideas?
The hackery I was referring to makes a cut into this particular
vulnerability. It empties the 'tp_subclasses' field of 'object', but
who knows how else one could get to it?
from _ctypes import _cast_addr
_data_cast= c.PYFUNCTYPE(c.py_object, c.py_object, c.py_object,
c.py_object)(_cast_addr)
x= _data_cast( object, None, c.c_void_p )
y= _typeobject.from_address( x.value )
y.tp_subclasses= 0 #<--- dirty work done here (embarassed)
assert (1).__class__.__bases__[0].__subclasses__()== [] #<--- (!!!)
Though, oddly enough,
_data_cast( object, None, _typeobject )
doesn't work.
On Oct 30, 8:50*pm, Aaron Brady <castiro...@gmail.comwrote:
Otherwise, you might be able to remove access to it by modifying
however it is the 'cust' list is obtained. *Perhaps you can use the
technique that's used to change the value of integers. *Keep us
posted. *Does this give you any ideas?
Nope! Not really! These are python quirks beyond my current level of
knowledge! <sigh=(
I suspect I'll simply drop from my application the possibility for
users to write their own plugins. Or I'll simply rely on the
unlikelihood of somebody taking the opportunity to do something
malicious. After all there are plenty of applications with an open-
architecture that leave the responsibility in the hands of the plugin
developers and the plugins users.
Thanks anyway!
Manu
In message
<b4**********************************@m3g2000hsc.g ooglegroups.com>,
Emanuele D'Arrigo wrote:
I noticed that this issue has been discussed in this newsgroup
periodically over the years and I seem to understand that -
comprehensive- safe/restricted execution of untrusted code in python
I think the most reliable solution is to take advantage of a level in the
system that already has to provide protection against malicious code: use a
chroot jail. Or run a complete virtualized machine with its own OS
installation. Then the code is free to do what it wants, it simply won't
see anything sensitive that it could compromise.
On Nov 1, 12:44*am, Lawrence D'Oliveiro wrote:
I think the most reliable solution is to take advantage of a level in the
system that already has to provide protection against malicious code: usea
chroot jail. Or run a complete virtualized machine with its own OS
installation. Then the code is free to do what it wants, it simply won't
see anything sensitive that it could compromise.
[sigh] That sound a little overkill for a small application. I guess
somebody should come up with a sandbox version of python, that can be
executed, say, with a directory provided as a parameter and all the os
calls are never made above that level.
Manu
"Emanuele D'Arrigo" <ma****@gmail.comwrites:
On Nov 1, 12:44Â*am, Lawrence D'Oliveiro wrote:
I think the most reliable solution is to take advantage of a level
in the system that already has to provide protection against
malicious code: use a chroot jail.
[…]
>
[sigh] That sound a little overkill for a small application. I guess
somebody should come up with a sandbox version of python, that can
be executed, say, with a directory provided as a parameter and all
the os calls are never made above that level.
That's exactly what a chroot jail *is*, except you don't need to wait
for a special version of Python. You don't gain anything with the
appropach you describe that you wouldn't have by setting up a chroot
jail using the existing functionality for that purpose.
--
\ “You can't have everything; where would you put it?” —Steven |
`\ Wright |
_o__) |
Ben Finney
In article <87************@benfinney.id.au>,
Ben Finney <bi****************@benfinney.id.auwrote:
"Emanuele D'Arrigo" <ma****@gmail.comwrites:
On Nov 1, 12:44Â*am, Lawrence D'Oliveiro wrote:
I think the most reliable solution is to take advantage of a level
in the system that already has to provide protection against
malicious code: use a chroot jail.
[…]
[sigh] That sound a little overkill for a small application. I guess
somebody should come up with a sandbox version of python, that can
be executed, say, with a directory provided as a parameter and all
the os calls are never made above that level.
That's exactly what a chroot jail *is*, except you don't need to wait
for a special version of Python.
What's more, the kernel is in a much better position to understand how a
pathname maps to a location in the physical file system than any
application could. Should Python attempt to understand what it means to
traverse a symlink? A mount point?
Thanks to those who replied and sorry for not having replied sooner.
Ok, got the message: chroot jail. I understand chroot is available for
unix-like OS as a kernel-provided facility. If I was developing for,
say, Linux or maybe even MacOSX, it might even be easy. My target OS
however are XP and Vista. I did find chroot-like features in various
virtualization platforms for those OS, but it would definitely be
overkill to request the user that he installs a virtualization
software to run a small application. I was reading this page http://wiki.python.org/moin/How%20ca...i.e.%20Sandbox)
and it seems to me my only two options are pypy-c and Jython. Would
you agree or are there more avenues to explore given my OS
requirements?
Manu
"Emanuele D'Arrigo" <ma****@gmail.comwrites:
My target OS however are XP and Vista. I did find chroot-like
features in various virtualization platforms for those OS, but it
would definitely be overkill to request the user that he installs a
virtualization software to run a small application.
If you're trying to retro-fit secure execution of untrusted code onto
those operating systems, you have a much larger set of problems than
trying to choose the right Python implementation. Good luck.
--
\ “If I haven't seen as far as others, it is because giants were |
`\ standing on my shoulders.” —Hal Abelson |
_o__) |
Ben Finney This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Sean R. Lynch |
last post by:
I've been playing around with Zope's RestrictedPython, and I think I'm
on the way to making the modifications necessary to create a
capabilities-based restricted execution system. The idea is to...
|
by: Jim Washington |
last post by:
I'm still working on yet another parser for JSON (http://json.org). It's
called minjson, and it's tolerant on input, strict on output, and pretty
fast. The only problem is, it uses eval(). It's...
|
by: iapain |
last post by:
I'm developing a webIDE for python and I've 2 questions regarding it.
1. How can i disable some of the modules without deleting. e.g I wish
to disable "os" module.
2. How can i force user code...
|
by: Ben |
last post by:
Hello,
I've been developing apps in Delphi for years and have just started
writing my first big project in c# + ms .net and have some questions
about security and untrusted code.
I've got an...
|
by: Dmitri Fedoruk |
last post by:
Hello everyone,
I'm developing a mod_python application that is based on XML\XSLT
transforming.
I used 4Suite libraries for that, but as the speed was unacceptable
for me, I switched to lxml....
|
by: Paul Rudin |
last post by:
I'm occasionally seeing tracebacks like this:
Traceback (most recent call last):
File "logging/__init__.py", line 744, in emit
File "logging/__init__.py", line 630, in format
File...
|
by: Andrey Fedorov |
last post by:
Is the scope of a closure accessible after it's been created? Is it
safe against XSS to use closures to store "private" auth tokens? In
particular, in...
....can untrusted code access...
|
by: ryjfgjl |
last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
| |
