While this thread is indeed a theoretical discussion of the interpreter, for a practical solution where you control the host environment, one might look into OS level sandboxing like FreeBSD's Jails (not to be confused with a simple chroot environment) along with various resource limiting parameters. You can lock down a 'sandboxed' i.e. jailed environment for arbitrary data and processes, including python, pretty tightly.
-Kurt- On Sat, May 30, 2015 at 5:52 PM, Steven D'Aprano <st...@pearwood.info> wrote: > On Sat, 30 May 2015 09:24 pm, Laura Creighton wrote: > > > In a message of Sat, 30 May 2015 19:00:14 +1000, "Steven D'Aprano" > writes: > >>I wouldn't have imagined that the claim "it's easier to secure a small > >>language with a few features than a big language with lots of features" > >>would have been so controversial. I wonder if this claim will be equally > >>as controversial? > >> > >>There is a rough correlation between the number of lines of code in a > code > >>base, and the number of potential security holes that need to be guarded > >>against. > > > > Maybe these aren't controversial if you are doing langauge level > > sandboxing, but you don't have to sandbox like that. Consider, for a > > moment, the sandboxing technique used by PyPy > > discussed at > > > > http://pypy.readthedocs.org/en/latest/sandbox.html > > > > You think it is way cool, but, alas, you want to sandbox some other > > language than Python. > > How many PyPy sandboxes are being used with hostile users motivated to > break > out of the sandbox? > > "I wrote a sandbox which I can't break out of" is different from "I wrote a > sandbox which nobody can break out of". Javascript is sandboxed, but due to > bugs in implementations, Javascript-based exploits are now heavily used by > malware. There are possibly even more Javascript-based exploits than buffer > overflow based exploits these days, as C programmers get better at using > automated tools that check for buffer overflows. > > > > -- > Steven > > -- > https://mail.python.org/mailman/listinfo/python-list >
-- https://mail.python.org/mailman/listinfo/python-list
