Re: [IronPython] restrict scripting access

[Michael Foord]

Dody Gunawinata wrote:
That you can filter our from the python source code or replace such 
call with exception ("bzz, can't load AddReference") - Yeah, it's a 
pretty nasty workaround, but it works.

Unfortunately not - one of the disadvantages of a highly dynamic 
language. There are lots of alternative ways of getting at the 
functionality.

Using the __import__ function instead of import. Using getattr with 
strings instead of including the literals in the source code. etc etc

It is for these reasons that the rexec module was deprecated in CPython, 
it is basically impossible to prevent access to certain builtin 
features. You have to apply the restrictions from the 'outside'.

Michael


Dody G.

On Mon, Jun 30, 2008 at 3:26 PM, Michael Foord 
<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:

    Dody Gunawinata wrote:

        In the IronPython hosting API, unless you specifically load
        the assembly, it will not be accessible through the script. So
        right now restricting access means configuring the assemblies
        you want to expose to the script.


    But what is to stop the user code doing:

    import clr
    clr.AddReference('SomeAssembly')

    Loading the ScriptRuntime into an AppDomain and restricting the
    privileges on that is one way - but I don't think that IronPython
    will work at all unless the AppDomain has pretty much full trust.

    Michael Foord

        On Mon, Jun 30, 2008 at 3:09 PM, Ben Hall
        <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
        <mailto:[EMAIL PROTECTED]
        <mailto:[EMAIL PROTECTED]>>> wrote:

           I thought this last night, it would be really useful if we
        could
           'sandbox' the IP engine and limit it's access to certain
        areas of the
           framework.



           On Mon, Jun 30, 2008 at 12:57 PM, Rainer Worbis
           <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
        <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>> wrote:
           > No - for example i would like to prevent that the user loads
           assemblies and does own data access via System.Data.SqlClient.
           > Or uses specific parts of the applications. (which should be
           visible to other scripts). So access control per script
        would be
           optimal.
           >
           > Rainer
           >
           > -----Ursprüngliche Nachricht-----
           > Von: [EMAIL PROTECTED]
        <mailto:[EMAIL PROTECTED]>
           <mailto:[EMAIL PROTECTED]
        <mailto:[EMAIL PROTECTED]>>
           [mailto:[EMAIL PROTECTED]
        <mailto:[EMAIL PROTECTED]>
           <mailto:[EMAIL PROTECTED]
        <mailto:[EMAIL PROTECTED]>>] Im Auftrag von
           Korbinian Abenthum
           > Gesendet: Montag, 30. Juni 2008 13:47
           > An: Discussion of IronPython
           > Betreff: Re: [IronPython] restrict scripting access
           >
           > Rainer Worbis wrote:
           >> is there a way to restrict access to objects or namespaces
           >> within a script? We use IronPython for providing scripting
           >> functionality within our .NET Application but would like to
           >> restrict access to certain functions. Has anybody
        information
           >> or a sample how to do that?
           >
           > Can you declare the restricted objects as "internal"?
           >
           > Cheers,
           >  Korbinian
           > _______________________________________________
           > Users mailing list
           > Users@lists.ironpython.com
        <mailto:Users@lists.ironpython.com>
        <mailto:Users@lists.ironpython.com
        <mailto:Users@lists.ironpython.com>>

           > http://lists.ironpython.com/listinfo.cgi/users-ironpython.com
           > _______________________________________________
           > Users mailing list
           > Users@lists.ironpython.com
        <mailto:Users@lists.ironpython.com>
        <mailto:Users@lists.ironpython.com
        <mailto:Users@lists.ironpython.com>>

           > http://lists.ironpython.com/listinfo.cgi/users-ironpython.com
           >
           _______________________________________________
           Users mailing list
           Users@lists.ironpython.com
        <mailto:Users@lists.ironpython.com>
        <mailto:Users@lists.ironpython.com
        <mailto:Users@lists.ironpython.com>>

           http://lists.ironpython.com/listinfo.cgi/users-ironpython.com




        -- 
        nomadlife.org <http://nomadlife.org> <http://nomadlife.org>
        ------------------------------------------------------------------------



        _______________________________________________
        Users mailing list
        Users@lists.ironpython.com <mailto:Users@lists.ironpython.com>
        http://lists.ironpython.com/listinfo.cgi/users-ironpython.com
         



    -- 
    http://www.ironpythoninaction.com/
    http://www.voidspace.org.uk/
    http://www.trypython.org/
    http://www.ironpython.info/
    http://www.resolverhacks.net/
    http://www.theotherdelia.co.uk/




--
nomadlife.org <http://nomadlife.org>
------------------------------------------------------------------------

_______________________________________________
Users mailing list
Users@lists.ironpython.com
http://lists.ironpython.com/listinfo.cgi/users-ironpython.com
  


--
http://www.ironpythoninaction.com/
http://www.voidspace.org.uk/
http://www.trypython.org/
http://www.ironpython.info/
http://www.resolverhacks.net/
http://www.theotherdelia.co.uk/

_______________________________________________
Users mailing list
Users@lists.ironpython.com
http://lists.ironpython.com/listinfo.cgi/users-ironpython.com