Replacement for rexec/Bastion?

  • Thread starter Colin Coghill (SFive)
  • Start date
C

Colin Coghill (SFive)

Hi, a year or so back some students of mine and I wrote some software
which made use of the rexec module to run untrusted user code relatively
safely. (We were creating a prototype of a mobile-code style app)

I'm now working on another project which will need to be able to
do something similar, and I noticed that rexec and Bastion have been
withdrawn for (in)security reasons.

I've searched fairly hard, and have been unable to find any replacement,
but notice that the source still seems to have some form of restricted
environment available (involving __builtins__ manipulation), but I can't
find any documentation or discussion of this.

Is Python (preferably CPython 2.3) still able to "sandbox" bits of code
under an application provided API safely?

Even Jython or Stackless would be ok, I suppose.

I'd like to be able to have (possibly malicious) users of my software able
to script behavior using small snippets of python code. Anything from a line
to maybe a few pages in length each. I can trap endless loops and the like,
but I need something to stop them just importing sys and raising havoc.

- Colin
 
M

Michael Hudson

[snippety]
I'd like to be able to have (possibly malicious) users of my software able
to script behavior using small snippets of python code. Anything from a line
to maybe a few pages in length each. I can trap endless loops and the like,
but I need something to stop them just importing sys and raising havoc.
Click to expand...

Zope's RestrictedPython might be an option.

Cheers,
mwh
 
C

Christian Tismer

Colin Coghill (SFive) wrote:

....
Is Python (preferably CPython 2.3) still able to "sandbox" bits of code
under an application provided API safely?

Even Jython or Stackless would be ok, I suppose.
Click to expand...

I really love to see Stackless mentioned, but I don't
see how this is related?
Stackless, due to its ability to pickle and transfer
executable code, is much more "dangerous" than regular
Python, if used in the correct "wrong" mode.

ciao - chris

--
Christian Tismer :^) <mailto:[email protected]>
Mission Impossible 5oftware : Have a break! Take a ride on Python's
Johannes-Niemeyer-Weg 9a : *Starship* http://starship.python.net/
14109 Berlin : PGP key -> http://wwwkeys.pgp.net/
work +49 30 89 09 53 34 home +49 30 802 86 56 mobile +49 173 24 18 776
PGP 0x57F3BF04 9064 F4E1 D754 C2FF 1619 305B C09C 5A3B 57F3 BF04
whom do you want to sponsor today? http://www.stackless.com/
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

replacement of rexec? 9
PyPy, is it a 1:1 replacement for CPython? 1
Is this the "right" way to do rexec? 1
replacement for execfile 3
Executing untrusted code 6
Looking for feedback on this markup language I developed and my website idea? 0
replacement for 'pow()' function 15
A replacement for about-to-be-closed NGs 0

Members online

Total: 20 (members: 1, guests: 19)
Robots: 434

Forum statistics

Threads
473,755
Messages
2,569,537
Members
45,021
Latest member
AkilahJaim

Latest Threads

Top