Now that rexec is gone...

Discussion in 'Python' started by Rainer Deyke, Sep 27, 2003.

  1. Rainer Deyke

    Rainer Deyke Guest

    Now that rexec is gone, is there any code or information available on
    executing Python in a restricted environment? And before I roll my own
    solution, exactly where the security holes in rexec anyway?

    (I know one way of getting a restricted environment: butcher the Python
    interpreter by removing everything that's even remotely dangerous, use
    Python only for restricted execution, and do everything else in a C++
    program that embeds the butchered Python interpreter. I'd like to avoid
    doing that, for obvious reasons.)


    --
    Rainer Deyke - - http://eldwood.com
     
    Rainer Deyke, Sep 27, 2003
    #1
    1. Advertising

  2. Rainer Deyke

    Terry Reedy Guest

    "Rainer Deyke" <> wrote in message
    news:XA8db.597231$o%2.276974@sccrnsc02...
    > Now that rexec is gone, is there any code or information available

    on
    > executing Python in a restricted environment? And before I roll my

    own
    > solution, exactly where the security holes in rexec anyway?


    Suggest you google last year of c.l.py for 'rexec'. Also check out
    py-dev summaries of last fall for discussion of why removed.

    TJR
     
    Terry Reedy, Sep 27, 2003
    #2
    1. Advertising

  3. "Rainer Deyke" <> writes:

    > Now that rexec is gone, is there any code or information available on
    > executing Python in a restricted environment?


    There was a thread on python-dev about Zope's version of rexec
    (RestrictedPython?) which looked promising on casual inspection.

    Cheers,
    mwh

    --
    > It might get my attention if you'd spin around in your chair,
    > spoke in tongues, and puked jets of green goblin goo.

    I can arrange for this. ;-) -- Barry Warsaw & Fred Drake
     
    Michael Hudson, Sep 27, 2003
    #3
  4. Rainer Deyke wrote:

    > Now that rexec is gone, is there any code or information available on
    > executing Python in a restricted environment? And before I roll my own
    > solution, exactly where the security holes in rexec anyway?
    >
    > (I know one way of getting a restricted environment: butcher the Python
    > interpreter by removing everything that's even remotely dangerous, use
    > Python only for restricted execution, and do everything else in a C++
    > program that embeds the butchered Python interpreter. I'd like to avoid
    > doing that, for obvious reasons.)


    Actually, such a "butchered" Python interpreter might be a fun and
    useful project indeed. You would have to add programmable limits on
    resource consumptions -- e.g., memory allocatable by the script,
    time (CPU or maybe elapsed) usable thereby, etc. And you should rename
    everything, say to use Qy instead of Py, so that a normal and a
    butchered interpreter could easily be embedded in the same program.

    Once the hard work of "butchering" is done, you might in fact quite
    easily expose "the butchered interpreter" via an extension module for
    Python proper -- no need to do "everything in C++", you'd just have two
    separate Pythons, a full-function one and a seriously-hobbled one.

    Not *QUITE* as good as running untrusted code in a separate "jail"'d
    process, perhaps, but probably the closest you can come to that on
    such environments as Windows. Note that the need to add resource
    limitations is crucial (and was never addressed by rexec, making it
    pretty useless to ward against denial-of-service kinds of attacks!).


    Alex
     
    Alex Martelli, Sep 27, 2003
    #4
  5. Rainer Deyke

    Rainer Deyke Guest

    Alex Martelli wrote:
    > Actually, such a "butchered" Python interpreter might be a fun and
    > useful project indeed. You would have to add programmable limits on
    > resource consumptions -- e.g., memory allocatable by the script,
    > time (CPU or maybe elapsed) usable thereby, etc. And you should
    > rename everything, say to use Qy instead of Py, so that a normal and a
    > butchered interpreter could easily be embedded in the same program.


    That might be a useful project, but it also sounds like a lot of work. I
    don't think I'll be going that route.

    As it turns out, I can solve my security problem in a different way
    entirely: by confirming that any Python code I run is from a trusted source.
    No need to run untrusted code at all.


    --
    Rainer Deyke - - http://eldwood.com
     
    Rainer Deyke, Sep 27, 2003
    #5
  6. Rainer Deyke

    Rainer Deyke Guest

    Terry Reedy wrote:
    > Suggest you google last year of c.l.py for 'rexec'. Also check out
    > py-dev summaries of last fall for discussion of why removed.


    I see... It turns out that, short of modifying the Python interpreter, there
    is no way to get real security. '"".__class__' gives access to 'str', 'str'
    gives access to 'object', and 'object' gives access to 'file'.


    --
    Rainer Deyke - - http://eldwood.com
     
    Rainer Deyke, Sep 27, 2003
    #6
  7. Rainer Deyke wrote:

    > As it turns out, I can solve my security problem in a different way
    > entirely: by confirming that any Python code I run is from a trusted
    > source.
    > No need to run untrusted code at all.


    Yes, that sounds like the most reasonable approach.

    --
    Erik Max Francis && && http://www.alcyone.com/max/
    __ San Jose, CA, USA && 37 20 N 121 53 W && &tSftDotIotE
    / \ In principle I am against principles.
    \__/ Tristan Tzara
     
    Erik Max Francis, Sep 27, 2003
    #7
  8. Metaphysics of security provisions (was: Now that rexec is gone...)

    In article <Ihidb.130710$>,
    Alex Martelli <> wrote:
    .
    .
    .
    >Actually, such a "butchered" Python interpreter might be a fun and
    >useful project indeed. You would have to add programmable limits on
    >resource consumptions -- e.g., memory allocatable by the script,
    >time (CPU or maybe elapsed) usable thereby, etc. And you should rename

    Good instincts! Yes, some of the recent work in regard to
    safe interpretation that I find most interesting focuses
    on precisely this: resource management. That's as op-
    posed to the rather static causal tracing where Java's
    core security theoreticians have put their attention.
    I know there are people working with Java who care about
    resource management; I don't *think* their results are
    showing up in the libraries Sun specifies.

    Apt proxies for your "time" include lots of easy ones for
    an introspective interpreter, such as number-of-bytecodes
    processed. That's another reason this is likely to be
    "fun and useful" for Python: it already builds in good
    introspection.

    Warm-up exercise: list resources of interest. You've
    already mentioned (memory) space and time. Anything the
    operating system has to conserve--channel handles, threads,
    SysV semaphores, display contexts, color maps, physical
    device references, ...--is a likely candidate. Another
    refinement: the OS could provide higher-level support for
    resources usually left in userland. It strikes me that
    this could be valuable even outside its use in a restricted
    interpreter. Pools of, for example, database connections
    are the first example that comes to my mind.
    .
    .
    .
    >Not *QUITE* as good as running untrusted code in a separate "jail"'d
    >process, perhaps, but probably the closest you can come to that on
    >such environments as Windows. Note that the need to add resource
    >limitations is crucial (and was never addressed by rexec, making it
    >pretty useless to ward against denial-of-service kinds of attacks!).

    Worth repeating. Also, note that "jail" (or sandbox) is
    not the only metaphor worth considering in this area.
    Another is the positive one behind operating systems (I
    need to figure out a one-word label for this): "zero-
    based" provision of services for which one has been
    authorized. This builds up, rather than down. Instead
    of calculating how much is safe to put in the sandbox,
    it makes the dual calculation of what building blocks
    can safely be allowed the developer.
    .
    .
    .
    --

    Cameron Laird <>
    Business: http://www.Phaseit.net
    Personal: http://phaseit.net/claird/home.html
     
    Cameron Laird, Sep 28, 2003
    #8
  9. "Rainer Deyke" <> writes:

    > Terry Reedy wrote:
    > > Suggest you google last year of c.l.py for 'rexec'. Also check out
    > > py-dev summaries of last fall for discussion of why removed.

    >
    > I see... It turns out that, short of modifying the Python interpreter, there
    > is no way to get real security. '"".__class__' gives access to 'str', 'str'
    > gives access to 'object', and 'object' gives access to 'file'.


    A message-id, or similar, at this point, could save future googlers a
    lot of time ...
     
    Jacek Generowicz, Sep 29, 2003
    #9
  10. Rainer Deyke

    Gerrit Holl Guest

    Re: isNumber? check

    Rob Hunter wrote:
    > How do I check if a value is a number in Python?
    >
    > One way is (x == type(1)) and (x == type(1.2)) and (x ==
    > type(2387482734274)) and ...
    >
    > but this seems kludgy. Any better way?


    Why do you want to do so? Maybe, it is better in your
    case to just run the piece of code using the number, and
    if it fails, it fails. However, if you must, you need to
    do type(x) is type(1) and ... etc., or isinstance(x, int)
    and isinstance(x, float), etc.

    Gerrit.

    --
    Asperger Syndroom - een persoonlijke benadering:
    http://people.nl.linux.org/~gerrit/
    Het zijn tijden om je zelf met politiek te bemoeien:
    http://www.sp.nl/
     
    Gerrit Holl, Sep 29, 2003
    #10
  11. Rainer Deyke

    Jeff Epler Guest

    Re: isNumber? check

    First, whatever test you use, you should probably encapsulate it in a
    function, so that if you need to update the definition you can do it at
    one site instead of many:

    def isnumeric(x):
    return isinstance(x, (int, long, float))

    You could have a registry of numeric types:

    _numeric_types = ()
    def register_numeric_type(t):
    global _numeric_types
    if t in _numeric_types: return
    _numeric_types += (t,)

    for value in (0, 0., 0l, 0j):
    register_numeric_type(type(value))

    def isnumeric(x):
    return isinstance(x, _numeric_types)

    Now, if someone wants to write a vector type, it merely needs to be
    registered.

    You could test that common numeric operations work:
    def isnumeric(x):
    try:
    if x*1 == x and x+0 == x:
    return 1
    except TypeError:
    pass
    return 0

    You could just run your code and let the eventual TypeError speak for
    itself.. instead of
    def f(x):
    if not isnumeric(x): raise TypeError, "can't f() a %s" % type(x)
    return x*x
    just write
    def f2(x):
    return x*x
    The difference in the quality of the error message is not large:
    >>> f("")

    Traceback (most recent call last):
    File "<stdin>", line 1, in ?
    File "<stdin>", line 2, in f
    TypeError: can't f() a <type 'str'>
    >>> f2("")

    Traceback (most recent call last):
    File "<stdin>", line 1, in ?
    File "<stdin>", line 2, in f2
    TypeError: unsupported operand type(s) for *: 'str' and 'str'

    Jeff
     
    Jeff Epler, Sep 29, 2003
    #11
  12. Re: isNumber? check

    > > How do I check if a value is a number in Python?
    > >
    > > One way is (x == type(1)) and (x == type(1.2)) and (x ==
    > > type(2387482734274)) and ...

    >
    > Why do you want to do so? Maybe, it is better in your
    > case to just run the piece of code using the number, and
    > if it fails, it fails. However, if you must, you need to
    > do type(x) is type(1) and ... etc., or isinstance(x, int)
    > and isinstance(x, float), etc.


    I used to use the latter approach suggested by Gerrit, but I recently
    found on the web an alternative, elegant approach that might work
    (sorry, I don't recall where I found it!):

    hasattr(x, '__int__')

    If the "__int__" method is defined for "x", it is a number. This will
    work for integer, long, float and complex types, as well as for custom
    classes that emulate numeric types.

    Regards,
    JSeb
     
    Jean-S?bastien Bolduc, Sep 30, 2003
    #12
  13. Re: isNumber? check

    Jean-S?bastien Bolduc wrote:

    > I used to use the latter approach suggested by Gerrit, but I recently
    > found on the web an alternative, elegant approach that might work
    > (sorry, I don't recall where I found it!):
    >
    > hasattr(x, '__int__')
    >
    > If the "__int__" method is defined for "x", it is a number. This will
    > work for integer, long, float and complex types, as well as for custom
    > classes that emulate numeric types.


    This is an insidiously bad idea, in my opinion. All having an __int__
    method means is there is some _conversion_ from an instance to an int
    type. It does not at all mean the custom instance spends most of its
    life behaving as an integer.

    --
    Erik Max Francis && && http://www.alcyone.com/max/
    __ San Jose, CA, USA && 37 20 N 121 53 W && &tSftDotIotE
    / \ We grow in time to trust the future for our answers.
    \__/ Ruth Benedict
     
    Erik Max Francis, Sep 30, 2003
    #13
  14. Rainer Deyke

    Aahz Guest

    Re: isNumber? check

    In article <>,
    Erik Max Francis <> wrote:
    >Jean-S?bastien Bolduc wrote:
    >>
    >> If the "__int__" method is defined for "x", it is a number. This will
    >> work for integer, long, float and complex types, as well as for custom
    >> classes that emulate numeric types.

    >
    >This is an insidiously bad idea, in my opinion. All having an __int__
    >method means is there is some _conversion_ from an instance to an int
    >type. It does not at all mean the custom instance spends most of its
    >life behaving as an integer.


    Yup. There's been some talk of adding an __index___() method or
    something to deal with that.
    --
    Aahz () <*> http://www.pythoncraft.com/

    "It is easier to optimize correct code than to correct optimized code."
    --Bill Harlan
     
    Aahz, Oct 2, 2003
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Aahz

    Re: Replacing rexec

    Aahz, Jul 16, 2003, in forum: Python
    Replies:
    4
    Views:
    420
    Asun Friere
    Jul 18, 2003
  2. Colin Coghill (SFive)

    Replacement for rexec/Bastion?

    Colin Coghill (SFive), Aug 26, 2003, in forum: Python
    Replies:
    2
    Views:
    372
    Christian Tismer
    Aug 28, 2003
  3. Colin Coghill (SFive)

    Re: Replacement for rexec/Bastion?

    Colin Coghill (SFive), Aug 27, 2003, in forum: Python
    Replies:
    1
    Views:
    582
    Michael Hudson
    Aug 27, 2003
  4. Michael Chermside

    RE: Replacement for rexec/Bastion?

    Michael Chermside, Aug 27, 2003, in forum: Python
    Replies:
    3
    Views:
    545
    Colin Coghill (SFive)
    Aug 28, 2003
  5. Huaiyu Zhu

    replacement of rexec?

    Huaiyu Zhu, Oct 23, 2003, in forum: Python
    Replies:
    9
    Views:
    336
    John J. Lee
    Nov 5, 2003
Loading...

Share This Page