Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Python > Replacement for rexec/Bastion?

Reply
Thread Tools

Replacement for rexec/Bastion?

 
 
Colin Coghill (SFive)
Guest
Posts: n/a
 
      08-26-2003

Hi, a year or so back some students of mine and I wrote some software
which made use of the rexec module to run untrusted user code relatively
safely. (We were creating a prototype of a mobile-code style app)

I'm now working on another project which will need to be able to
do something similar, and I noticed that rexec and Bastion have been
withdrawn for (in)security reasons.

I've searched fairly hard, and have been unable to find any replacement,
but notice that the source still seems to have some form of restricted
environment available (involving __builtins__ manipulation), but I can't
find any documentation or discussion of this.

Is Python (preferably CPython 2.3) still able to "sandbox" bits of code
under an application provided API safely?

Even Jython or Stackless would be ok, I suppose.

I'd like to be able to have (possibly malicious) users of my software able
to script behavior using small snippets of python code. Anything from a line
to maybe a few pages in length each. I can trap endless loops and the like,
but I need something to stop them just importing sys and raising havoc.

- Colin
 
Reply With Quote
 
 
 
 
Michael Hudson
Guest
Posts: n/a
 
      08-26-2003
"Colin Coghill (SFive)" <(E-Mail Removed)> writes:

[snippety]

> I'd like to be able to have (possibly malicious) users of my software able
> to script behavior using small snippets of python code. Anything from a line
> to maybe a few pages in length each. I can trap endless loops and the like,
> but I need something to stop them just importing sys and raising havoc.


Zope's RestrictedPython might be an option.

Cheers,
mwh

--
how am I expected to quit smoking if I have to deal with NT
every day -- Ben Raia
 
Reply With Quote
 
 
 
 
Christian Tismer
Guest
Posts: n/a
 
      08-28-2003
Colin Coghill (SFive) wrote:

....

> Is Python (preferably CPython 2.3) still able to "sandbox" bits of code
> under an application provided API safely?
>
> Even Jython or Stackless would be ok, I suppose.


I really love to see Stackless mentioned, but I don't
see how this is related?
Stackless, due to its ability to pickle and transfer
executable code, is much more "dangerous" than regular
Python, if used in the correct "wrong" mode.

ciao - chris

--
Christian Tismer :^) <(E-Mail Removed)>
Mission Impossible 5oftware : Have a break! Take a ride on Python's
Johannes-Niemeyer-Weg 9a : *Starship* http://starship.python.net/
14109 Berlin : PGP key -> http://wwwkeys.pgp.net/
work +49 30 89 09 53 34 home +49 30 802 86 56 mobile +49 173 24 18 776
PGP 0x57F3BF04 9064 F4E1 D754 C2FF 1619 305B C09C 5A3B 57F3 BF04
whom do you want to sponsor today? http://www.stackless.com/



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Replacement PSU for an ADSL Router Edward W. Thompson Wireless Networking 0 09-06-2005 10:40 AM
Replacement for FF calendar extension Dan Firefox 5 03-23-2005 08:38 PM
Replacement for AOL newsgroup access EJGroth Firefox 0 02-08-2005 02:41 PM
Calendar replacement William W. Plummer Firefox 1 07-02-2004 04:10 PM
Replacement For Access Point KS Wireless Networking 1 06-24-2004 04:40 AM



Advertisments