Another scripting language implemented into Python itself?

[Fuzzyman]

Cameron Laird wrote:
[snip..]

This is a serious issue.

It's also one that brings Tcl, mentioned several
times in this thread, back into focus. Tcl presents
the notion of "safe interpreter", that is, a sub-
ordinate virtual machine which can interpret only
specific commands. It's a thrillingly powerful and
correct solution to the main problem Jeff and others
have described.

A better (and of course *vastly* more powerful but unfortunately only a
dream ;-) is a similarly limited python virutal machine.....

It could make embedding python a lot simpler for lots of applications
and even 'embedded python' a lot simpler. (Not to mention 'restricted
execution' - e.g. for applets in web pages)

*Perhaps* the pypy core will be a bit like this - but it's design goals
are very different of course.

Anyway, little point in wishing on a dream - I'm certainly not up to
the job
Regards,

Fuzzy
http://www.voidspace.org.uk/python/index.shtml

 

[Carl Banks]

My apologies for being sloppy. And with an initial capital, so it just
jumps off the page at you

Ok. Prescriptive language isn't normally my cup of tea, but there's
always something. And usually it's very silly.

lot.

But, that's exactly my point. To be honest, I've never used PHP. But
however bad it may be, at least it's got a few years of people fixing

bugs, writing books, writing add-on tools, etc, behind it. Better to

use somebody else's well-known and well-supported mess of a scripting

language than to invest several person-years inventing your own mess
that's no better.

Well, if you look at it that way, I guess so.

My mindset was closer to "hacked-up quasi-languages are evil" than
"hacked-up quasi-languages are not worth the time to implement when
there are plenty of hacked-up quasi-languages already out there, not to
mention some real languages."

 

[Rocco Moretti]

Have you been drinking again?

No, not really. The "every time" comment should be viewed in the same
light as "Every time you step outside, you risk being hit by a bus."

"import module" executes Python code. As such it can do anything Python
can do. Crash your system, wipe the hard drive, etc. And there is
nothing the importing code can do to stop it. Now, if you limit yourself
to known and trusted modules, that risk virtually disappears, just like
staying on the sidewalk virtually eliminates the chances of getting hit
by a bus. Not completely, mind you, since someone could have altered the
standard library modules/changed the import path such that you're
importing an unknown module. But most people would argue if someone has
that power, they probably can do anything they want with your system
without you doing "import module."

Bottom line: Don't exec or eval untrusted code. Don't import untrusted
modules.

 

[Rocco Moretti]

I don't see how that would equate to something that the original
programmer should be concerned about. You could include a bit in your
licensing scheme that voids all support on code that has been modified
in any way. You shouldn't be obligated and no one expects you to support
something the end-user has mucked with.

You could trivially enforce this by keeping checksums of all the system
files.

You're thinking of two different situations. My guess is that Jeff
Shannon is not referring to situations where the end user makes
modifications to existing code, but rather, where the end user write
*completely new* scripts in your new scripting language. As such, you
can't enforce checksums - the code hasn't been written yet.

The use cases probably are also different. You're thinking of delivering
a completed application to an end-user's machine, but given the OP's
user name ("Quest Master"), my guess is that he's looking for a
server-side deployment like in an on-line game, where users script the
game environment. Not only do you have a problem with a malicious user
potentially crashing the game machine, but you also have issues where
the user may be able to grab his "character object" and give himself
infinite money or life, or whatever. Since it's a shared server, you
can't just say "I'm not supporting it" when someone mucks with the server.

> In any case, there's nothing you can really do to "secure" your code.
> This is true of any language, C, C++, and especially scripting languages
> like Python. Anyone who has the determination get at and modify the code
> probably will.

Well, if you don't provide mechanisms for disk access, there is no way
to overwrite files, short of a bug in the interpreter (or some extension
interface to a general purpose programing language). Python is just to
flexible to work like that. Even if you don't provide an open function
to user code, and eliminate questionable modules, you can still get a
file object, even if all you are provided with is an integer object.
That's why restricted execution was eliminated from the standard library.

 

[Terry Reedy]

The original poster wants to work in Python. That's
fine. Several of us have suggested he further
expose Python itself to his end-users as an extension
language. That certainly is feasible. He needn't
explain all of Python to those end-users--probably
only a bit about "assignments", control structures,
and maybe lists.

That approach creates a sort of fragility, though.
Python includes, along with much else, os.unlink().
Suppose our original poster doesn't want end-users
to be able to delete files (or directories ...).

I don't remember if the OP specified *where* the scripted application is to
be run. If on a server, then *any* language with loops is vulnerable to
malicious users. If on a person's own desktop machine, where one can run
'diskformat' or the equivalent, or pick up and drop the machine, then
worrying about Python security seems superfluous. Why worry, for instance,
about os.unlink when the user can just do the same much easier in a text or
gui shell?

Terry J. Reedy

 

[Grant Edwards]

"import module" executes Python code. As such it can do
anything Python can do. Crash your system, wipe the hard
drive, etc.

Only if you run as root all the time -- and the same can be
said of any library routine you call.

And there is nothing the importing code can do to stop it.

Nor is there anything you can to do stop libc from doing stuff.

Now, if you limit yourself to known and trusted modules, that
risk virtually disappears, just like staying on the sidewalk
virtually eliminates the chances of getting hit by a bus. Not
completely, mind you, since someone could have altered the
standard library modules/changed the import path such that
you're importing an unknown module. But most people would
argue if someone has that power, they probably can do anything
they want with your system without you doing "import module."

Bottom line: Don't exec or eval untrusted code. Don't import untrusted
modules.

I still don't see how that's any different for Python than for
any other language.

 

[Francis Girard]

Hi,

I'm really not sure but there might be some way to embed Java Script within
Jython. Or to run Jython from inside Java much like the jEdit editor. You
then have Python to make some glue code between the C++ core and the Java
Script. Java Script must be secure since it runs in browsers everywhere from
my worst sex web sites !

I'm not really sure why the original poster want to use Python, I think it's
to make the glue between C++ and the scripting engine. Nor am I really sure
why java runs inside my browser ...

Francis Girard
FRANCE

Le mardi 25 Janvier 2005 18:08, Cameron Laird a écrit :

 

[Lee Harr]

That approach creates a sort of fragility, though.

I don't remember if the OP specified *where* the scripted application is to
be run. If on a server, then *any* language with loops is vulnerable to
malicious users. If on a person's own desktop machine, where one can run
'diskformat' or the equivalent, or pick up and drop the machine, then
worrying about Python security seems superfluous. Why worry, for instance,
about os.unlink when the user can just do the same much easier in a text or
gui shell?

What if you were creating a program that used programmable modules
and wanted to let people safely share modules over the internet.

It would be nice to be able to say "downloaded modules are safe
to use. They can only do these things: x, y, z. They will not be
able to access or damage anything outside of the application"

 

[Cameron Laird]

.
.
.

worrying about Python security seems superfluous. Why worry, for instance,
about os.unlink when the user can just do the same much easier in a text or
gui shell?

.
.
.
It's an apt question--and one with several answers. I'll
hint at the range by observing that part of security has
to do with prevention not of malicious acts, but of common
mistakes. I entirely agree with you that it's crucial to
think of wider context, and whether a particular choice's
costs are worth its benefits.

 

[Cameron Laird]

.
.
.

I know C/C++ might be better suited for a task of this kind, but most
of the modules in my application which need speed have already been
coded in C++. I want to use Python as the "glue" for this project;

.
.
.
I've lost track of what "this kind" means here; why do you
think C/C++ is a better language for writing a language
interpreter? Is it because, for example, Python's interpre-
ter has traditionally been written in C?

 

[Jeff Shannon]

I still don't see how that's any different for Python than for
any other language.

Yep, and one should be careful about executing untrusted C code, too.
If you're running a webserver, do you let random users upload
executables and then run them? Probably not.

The key point here, what I was attempting to say in my earlier post,
is that while Python can be useful as an internal scripting language
inside of an application, it gives users of that application the same
power over your system as any arbitrary C code. That's fine if it's
an internal application, or the application can be run with
(enforceable) restricted permissions, but it's still risky. How many
security alerts has Microsoft issued because of some bug that allowed
the execution of arbitrary code? Well, having Python scripting access
is essentially the same thing. At best, you can use the external
environment to limit the process running Python to its own sandbox
(e.g. running as a limited-permission user in a chroot jail), but you
still can't prevent one user of that application from screwing with
other users of the application, or the application's own internal data.

In other words, the only difference is that Python makes it much more
tempting to hand over the keys to your server.

I confess that I jumped to the (apparently unsupported) conclusion
that this was some sort of server-based, internet/shared application.
If that's not the case, then concerns about security are not so
significant. If the users are running this application on their own
machines, then letting them script it in Python is a perfectly valid
(and probably quite desirable) approach.

Jeff Shannon
Technician/Programmer
Credit International

 

[Arthur]

.
.
.
.
.
.
It's an apt question--and one with several answers. I'll
hint at the range by observing that part of security has
to do with prevention not of malicious acts, but of common
mistakes. I entirely agree with you that it's crucial to
think of wider context, and whether a particular choice's
costs are worth its benefits.

As long as we include the cost of treating adults as children, and
take it seriously as the kind of cost it is, I'm OK.

I think Terry's point covers a wide range of the real world
situations. Though certainly not all.

My "real" life is in the mid-market business world, not as a geometry
software developer. And I see a sort of hysteria descending, in this
realm on this subject. Of theY2k ilk, but with actually, it seems to
me, less substance. Family businesses out on the limb, as a business,
in a myriad of ways - because they are after all in business, focusing
on remote scenarios because they are somehow becoming convinced that
is what business people do (they don't), and demoralizing folks in the
process. Folks who know that if they wanted to hurt this business
they could have done so a hundred times in a hundred ways over the
years. But it wouldn't be by screwing with their computer system
because they wouldn't know how. So isn't it funny that is what the
boss is so concerned about - all of a sudden?

(They always knew they were smarter then him. More proof)

Art

 

[JanC]

Francis Girard schreef:

I'm really not sure but there might be some way to embed Java Script
within Jython.

You can embed JavaScript in CPython, but I don't know how secure or stable
it is: <http://wwwsearch.sourceforge.net/python-spidermonkey/>

 

[Cameron Laird]

.
.
.

As long as we include the cost of treating adults as children, and
take it seriously as the kind of cost it is, I'm OK.

I think Terry's point covers a wide range of the real world
situations. Though certainly not all.

My "real" life is in the mid-market business world, not as a geometry
software developer. And I see a sort of hysteria descending, in this
realm on this subject. Of theY2k ilk, but with actually, it seems to
me, less substance. Family businesses out on the limb, as a business,
in a myriad of ways - because they are after all in business, focusing
on remote scenarios because they are somehow becoming convinced that
is what business people do (they don't), and demoralizing folks in the
process. Folks who know that if they wanted to hurt this business
they could have done so a hundred times in a hundred ways over the
years. But it wouldn't be by screwing with their computer system
because they wouldn't know how. So isn't it funny that is what the
boss is so concerned about - all of a sudden?

(They always knew they were smarter then him. More proof)

Art

Pronouns quickly overload me. If you're saying that there's hysteria
afoot, much of it about the harm that might come through use of
computers left unprotected from evildoers, well, yes, I'm with you.
Most people have far more important hazards in their lives and work
than "security violations" as we technologists generally conceive them.