On Sep 5, 2008, at 10:26 PM, Campbell Barton wrote:
from talking to the python guys sandboxing python is easy if you use
the C api to overwrite builtins.
(sandboxing issues arise from trying to sandbox python from within
python)
You'd need to replace pythons import function with one that checks
only for files in a zip for instance.
Or for starters you could disable import alltogether and only allow C
modules and standalone scripts.
[..]
I'm not sure who you spoke with about this, but from my experience
Python is very difficult to effectively sandbox, in fact the official
security methods (bastion and rexec) were famously disabled after
gaping security holes were pointed out to GvR after descriptors were
introduced to the language.
At Zope corp, we put a huge amount of effort into trying to run
"trusted" python code securely, and there were always things lurking
that needed to be dealt with. For example, you'll need to override the
memory manager or else the following line of code will swap your
machine to death:
" "*1000*1000*1000*1000
You'd need to prevent scripts from dynamically modifying std functions
and classes (or you'd need to run each app in it's own interpreter),
the list goes on and on. It's much more difficult than it first appears.
-Casey
