Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Python (http://www.velocityreviews.com/forums/f43-python.html)
-   -   Now that rexec is gone... (http://www.velocityreviews.com/forums/t322966-now-that-rexec-is-gone.html)

Rainer Deyke 09-27-2003 04:44 AM

Now that rexec is gone...
 
Now that rexec is gone, is there any code or information available on
executing Python in a restricted environment? And before I roll my own
solution, exactly where the security holes in rexec anyway?

(I know one way of getting a restricted environment: butcher the Python
interpreter by removing everything that's even remotely dangerous, use
Python only for restricted execution, and do everything else in a C++
program that embeds the butchered Python interpreter. I'd like to avoid
doing that, for obvious reasons.)


--
Rainer Deyke - rainerd@eldwood.com - http://eldwood.com




Terry Reedy 09-27-2003 05:11 AM

Re: Now that rexec is gone...
 

"Rainer Deyke" <rainerd@eldwood.com> wrote in message
news:XA8db.597231$o%2.276974@sccrnsc02...
> Now that rexec is gone, is there any code or information available

on
> executing Python in a restricted environment? And before I roll my

own
> solution, exactly where the security holes in rexec anyway?


Suggest you google last year of c.l.py for 'rexec'. Also check out
py-dev summaries of last fall for discussion of why removed.

TJR



Michael Hudson 09-27-2003 01:46 PM

Re: Now that rexec is gone...
 
"Rainer Deyke" <rainerd@eldwood.com> writes:

> Now that rexec is gone, is there any code or information available on
> executing Python in a restricted environment?


There was a thread on python-dev about Zope's version of rexec
(RestrictedPython?) which looked promising on casual inspection.

Cheers,
mwh

--
> It might get my attention if you'd spin around in your chair,
> spoke in tongues, and puked jets of green goblin goo.

I can arrange for this. ;-) -- Barry Warsaw & Fred Drake

Alex Martelli 09-27-2003 03:46 PM

Re: Now that rexec is gone...
 
Rainer Deyke wrote:

> Now that rexec is gone, is there any code or information available on
> executing Python in a restricted environment? And before I roll my own
> solution, exactly where the security holes in rexec anyway?
>
> (I know one way of getting a restricted environment: butcher the Python
> interpreter by removing everything that's even remotely dangerous, use
> Python only for restricted execution, and do everything else in a C++
> program that embeds the butchered Python interpreter. I'd like to avoid
> doing that, for obvious reasons.)


Actually, such a "butchered" Python interpreter might be a fun and
useful project indeed. You would have to add programmable limits on
resource consumptions -- e.g., memory allocatable by the script[s],
time (CPU or maybe elapsed) usable thereby, etc. And you should rename
everything, say to use Qy instead of Py, so that a normal and a
butchered interpreter could easily be embedded in the same program.

Once the hard work of "butchering" is done, you might in fact quite
easily expose "the butchered interpreter" via an extension module for
Python proper -- no need to do "everything in C++", you'd just have two
separate Pythons, a full-function one and a seriously-hobbled one.

Not *QUITE* as good as running untrusted code in a separate "jail"'d
process, perhaps, but probably the closest you can come to that on
such environments as Windows. Note that the need to add resource
limitations is crucial (and was never addressed by rexec, making it
pretty useless to ward against denial-of-service kinds of attacks!).


Alex


Rainer Deyke 09-27-2003 06:46 PM

Re: Now that rexec is gone...
 
Alex Martelli wrote:
> Actually, such a "butchered" Python interpreter might be a fun and
> useful project indeed. You would have to add programmable limits on
> resource consumptions -- e.g., memory allocatable by the script[s],
> time (CPU or maybe elapsed) usable thereby, etc. And you should
> rename everything, say to use Qy instead of Py, so that a normal and a
> butchered interpreter could easily be embedded in the same program.


That might be a useful project, but it also sounds like a lot of work. I
don't think I'll be going that route.

As it turns out, I can solve my security problem in a different way
entirely: by confirming that any Python code I run is from a trusted source.
No need to run untrusted code at all.


--
Rainer Deyke - rainerd@eldwood.com - http://eldwood.com



Rainer Deyke 09-27-2003 06:46 PM

Re: Now that rexec is gone...
 
Terry Reedy wrote:
> Suggest you google last year of c.l.py for 'rexec'. Also check out
> py-dev summaries of last fall for discussion of why removed.


I see... It turns out that, short of modifying the Python interpreter, there
is no way to get real security. '"".__class__' gives access to 'str', 'str'
gives access to 'object', and 'object' gives access to 'file'.


--
Rainer Deyke - rainerd@eldwood.com - http://eldwood.com



Erik Max Francis 09-27-2003 08:31 PM

Re: Now that rexec is gone...
 
Rainer Deyke wrote:

> As it turns out, I can solve my security problem in a different way
> entirely: by confirming that any Python code I run is from a trusted
> source.
> No need to run untrusted code at all.


Yes, that sounds like the most reasonable approach.

--
Erik Max Francis && max@alcyone.com && http://www.alcyone.com/max/
__ San Jose, CA, USA && 37 20 N 121 53 W && &tSftDotIotE
/ \ In principle I am against principles.
\__/ Tristan Tzara

Cameron Laird 09-28-2003 01:23 PM

Metaphysics of security provisions (was: Now that rexec is gone...)
 
In article <Ihidb.130710$hE5.4447927@news1.tin.it>,
Alex Martelli <aleax@aleax.it> wrote:
.
.
.
>Actually, such a "butchered" Python interpreter might be a fun and
>useful project indeed. You would have to add programmable limits on
>resource consumptions -- e.g., memory allocatable by the script[s],
>time (CPU or maybe elapsed) usable thereby, etc. And you should rename

Good instincts! Yes, some of the recent work in regard to
safe interpretation that I find most interesting focuses
on precisely this: resource management. That's as op-
posed to the rather static causal tracing where Java's
core security theoreticians have put their attention.
I know there are people working with Java who care about
resource management; I don't *think* their results are
showing up in the libraries Sun specifies.

Apt proxies for your "time" include lots of easy ones for
an introspective interpreter, such as number-of-bytecodes
processed. That's another reason this is likely to be
"fun and useful" for Python: it already builds in good
introspection.

Warm-up exercise: list resources of interest. You've
already mentioned (memory) space and time. Anything the
operating system has to conserve--channel handles, threads,
SysV semaphores, display contexts, color maps, physical
device references, ...--is a likely candidate. Another
refinement: the OS could provide higher-level support for
resources usually left in userland. It strikes me that
this could be valuable even outside its use in a restricted
interpreter. Pools of, for example, database connections
are the first example that comes to my mind.
.
.
.
>Not *QUITE* as good as running untrusted code in a separate "jail"'d
>process, perhaps, but probably the closest you can come to that on
>such environments as Windows. Note that the need to add resource
>limitations is crucial (and was never addressed by rexec, making it
>pretty useless to ward against denial-of-service kinds of attacks!).

Worth repeating. Also, note that "jail" (or sandbox) is
not the only metaphor worth considering in this area.
Another is the positive one behind operating systems (I
need to figure out a one-word label for this): "zero-
based" provision of services for which one has been
authorized. This builds up, rather than down. Instead
of calculating how much is safe to put in the sandbox,
it makes the dual calculation of what building blocks
can safely be allowed the developer.
.
.
.
--

Cameron Laird <Cameron@Lairds.com>
Business: http://www.Phaseit.net
Personal: http://phaseit.net/claird/home.html

Jacek Generowicz 09-29-2003 10:14 AM

Re: Now that rexec is gone...
 
"Rainer Deyke" <rainerd@eldwood.com> writes:

> Terry Reedy wrote:
> > Suggest you google last year of c.l.py for 'rexec'. Also check out
> > py-dev summaries of last fall for discussion of why removed.

>
> I see... It turns out that, short of modifying the Python interpreter, there
> is no way to get real security. '"".__class__' gives access to 'str', 'str'
> gives access to 'object', and 'object' gives access to 'file'.


A message-id, or similar, at this point, could save future googlers a
lot of time ...

Gerrit Holl 09-29-2003 02:20 PM

Re: isNumber? check
 
Rob Hunter wrote:
> How do I check if a value is a number in Python?
>
> One way is (x == type(1)) and (x == type(1.2)) and (x ==
> type(2387482734274)) and ...
>
> but this seems kludgy. Any better way?


Why do you want to do so? Maybe, it is better in your
case to just run the piece of code using the number, and
if it fails, it fails. However, if you must, you need to
do type(x) is type(1) and ... etc., or isinstance(x, int)
and isinstance(x, float), etc.

Gerrit.

--
Asperger Syndroom - een persoonlijke benadering:
http://people.nl.linux.org/~gerrit/
Het zijn tijden om je zelf met politiek te bemoeien:
http://www.sp.nl/



All times are GMT. The time now is 05:08 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.