Securing the Pyton Interpreter?

[Stephen VanDahm]

I'm looking for a way to install Python on a UNIX machine in a way such
that any user on the system can use it, but only to execute scripts that
are located in a certain directory. I do not have root access on the
machine that will be running Python, so my options are limited. I thought
about hacking the Python interpreter itself so that it will examine the
argument array and exit with an error if the script to be executed isn't
in the appropriate directory, but this seems pretty risky. The module
'site.py' is imported automatically upon initialization -- I've thought of
adding the check there instead. I don't think either of these solutions
are very elegant. Is there a better way?

Thanks for your time,

Steve VanDahm
(e-mail address removed)

 

[Andrew Koenig]

Stephen> I'm looking for a way to install Python on a UNIX machine in
Stephen> a way such that any user on the system can use it, but only
Stephen> to execute scripts that are located in a certain directory.

Why? If I were a user on that machine and wanted to execute Python
scripts in a different directory, how would you stop me from installing
Python on my own and using it for those scripts?

 

[Stephen VanDahm]

Stephen> I'm looking for a way to install Python on a UNIX machine in
Stephen> a way such that any user on the system can use it, but only
Stephen> to execute scripts that are located in a certain directory.

Why? If I were a user on that machine and wanted to execute Python
scripts in a different directory, how would you stop me from installing
Python on my own and using it for those scripts?

Andrew,

I'm a member of a Public Access UNIX system. Some users on the system are
allowed to use development tools (like Python) and other aren't. Also,
some users are allowed to install software that they've written into a
publically accessible area so that everyone on the system can use it. The
problem is that if the software is written in a language like Python,
regular users won't be able to use the Python interpreter to run it, and
the Python programs that we write won't be very useful. Some of us want
to install a second interpreter that's been secured somewhat so that
people can run our programs without being able to execute arbitrary
Python programs.

You are correct that nothing (in principle) prevents someone from
installing another Python interpreter in $HOME/bin and running whatever
they want. In fact, that's kind of what *we're* doing. But since I
neither make nor enforce the rules, it isn't my problem if other people
try to break them.

Basically, I need to do this for bureaucratic reasons. I know it's a
hack, and that it sounds like a stupid thing to do, but it's the best
available option for us....

Thanks for the reply,

Steve

 

[Peter Hansen]

I'm looking for a way to install Python on a UNIX machine in a way such
that any user on the system can use it, but only to execute scripts that
are located in a certain directory. I do not have root access on the
machine that will be running Python, so my options are limited. I thought
about hacking the Python interpreter itself so that it will examine the
argument array and exit with an error if the script to be executed isn't
in the appropriate directory, but this seems pretty risky. The module
'site.py' is imported automatically upon initialization -- I've thought of
adding the check there instead. I don't think either of these solutions
are very elegant. Is there a better way?

You want something this freaky, *and* you want it elegant?!

Anyway, just go with site.py. Judging by the name, it's perfectly suited
for the task.

Of course, you know about the -S option, don't you? And PYTHONPATH?
And PYTHONHOME? And someone installing their own interpreter? And....

-Peter

 

[Jeff Epler]

I've never tried to set up a "secure" unix system, in the sense that
users will only be allowed to execute certain commands. However there
are any number of secure/restricted shells.

I suspect that if you use one of these, you can get what you want. For
instance, you would have /usr/bin forbidden, and /usr/safebin permitted.
In /usr/safebin/pyscript you'd lead off with "#!/usr/bin/python -E".
"-E" prevents Python from obeying environment variables like
PYTHONPATH, PYTHONHOME, and PYTHONINSPECT, all of which can let the user
"sneak" code in to be executed.

Of course, you have to be sure that the individual python scripts are
"secure" also. For instance, the following one *isn't*:
#!/usr/bin/python -E
# Print prime factors of a number (like /usr/bin/factor)
import sys, math
for arg in sys.argv[1:]:
num = eval(arg)

print "%d:" % num,
i=2
while num != 1:
while num % i == 0:
print i,
num = num / i
i=i+1
print
using eval() is the reason, in case you didn't catch it, but there are
more subtle ways to write Python programs that let the user do arbitrary
things. For instance, if a program uses pickle and lets the user alter
the pickle's contents, the user can execute arbitrary code. If there's
a bug in the C program that implements the Python interpreter or any
extension module, the user might be able to arrange to "smash the stack"
and do the same thing. Whether these things really matter depend on
how secure your multi-user system needs to be. (this last type of attack
could be true of any program, though, not just Python)

Jeff

 

[Vinoo Vasudevan]

I'm looking for a way to install Python on a UNIX machine in a way such
that any user on the system can use it, but only to execute scripts that
are located in a certain directory. I do not have root access on the
machine that will be running Python, so my options are limited. I thought
about hacking the Python interpreter itself so that it will examine the
argument array and exit with an error if the script to be executed isn't
in the appropriate directory, but this seems pretty risky. The module
'site.py' is imported automatically upon initialization -- I've thought of
adding the check there instead. I don't think either of these solutions
are very elegant. Is there a better way?

Thanks for your time,

Steve VanDahm
(e-mail address removed)

Hi,
Hacking the interpreter seems like overkill. Why not just set up a
shell script containing the names of the allowed python scripts, and
execute it from there.
for example:

#!/usr/bin/sh

if "$1" in myscript1.py myscript2.py ....;
then
. /usr/bin/env python "$1"
else
echo "You can't execute that script."
fi

My shell scripting is a little rusty so there may be some errors, but
I hope you get the general idea.

Hope it's useful,

Vinoo

 

[Vinoo Vasudevan]

Quoth Mel Wilson:

seem to recall there are complications with suid on scripts
.. though I don't recall what they are.

A simple example: Let the file insecure_script contain
#!/bin/sh
grep 'f.*bar' $*
This script must not be made setuid-root. Consider:
$ cat >grep
#!/bin/sh
cp /etc/shadow . && chmod 0666 ./shadow
^D
$ chmod +x ./grep
$ export PATH=.:$PATH
$ insecure_script

You could deal with this particular problem by using absolute path
names for everything in the script, and/or by setting $PATH in the
script itself. [clip]

I didn't see this post before I posted the one with the naive shell
script. As clear as I can make it, the problem seems to be two-fold :-
Not allowing normal users to access the python interpreter directly,
and making sure they run only a certain set of scripts.
One solution that may work is to set up the interpreter so that _only_
you have read and execute permissions(maybe installing it in your home
directory), and then putting a shell script which has your UID but has
read and execute permissions for all users in a commonly accessible
place. The path to the interpreter and the python scripts must be
absolute in this script to avoid security problems as mentioned
above.

Hope this works,
Vinoo