Securing the Pyton Interpreter?

Discussion in 'Python' started by Stephen VanDahm, Jul 15, 2003.

  1. I'm looking for a way to install Python on a UNIX machine in a way such
    that any user on the system can use it, but only to execute scripts that
    are located in a certain directory. I do not have root access on the
    machine that will be running Python, so my options are limited. I thought
    about hacking the Python interpreter itself so that it will examine the
    argument array and exit with an error if the script to be executed isn't
    in the appropriate directory, but this seems pretty risky. The module
    'site.py' is imported automatically upon initialization -- I've thought of
    adding the check there instead. I don't think either of these solutions
    are very elegant. Is there a better way?

    Thanks for your time,

    Steve VanDahm
    Stephen VanDahm, Jul 15, 2003
    #1
    1. Advertising

  2. Stephen> I'm looking for a way to install Python on a UNIX machine in
    Stephen> a way such that any user on the system can use it, but only
    Stephen> to execute scripts that are located in a certain directory.

    Why? If I were a user on that machine and wanted to execute Python
    scripts in a different directory, how would you stop me from installing
    Python on my own and using it for those scripts?

    --
    Andrew Koenig,
    Andrew Koenig, Jul 15, 2003
    #2
    1. Advertising

  3. In article <>, Andrew Koenig wrote:
    > Stephen> I'm looking for a way to install Python on a UNIX machine in
    > Stephen> a way such that any user on the system can use it, but only
    > Stephen> to execute scripts that are located in a certain directory.
    >
    > Why? If I were a user on that machine and wanted to execute Python
    > scripts in a different directory, how would you stop me from installing
    > Python on my own and using it for those scripts?
    >



    Andrew,

    I'm a member of a Public Access UNIX system. Some users on the system are
    allowed to use development tools (like Python) and other aren't. Also,
    some users are allowed to install software that they've written into a
    publically accessible area so that everyone on the system can use it. The
    problem is that if the software is written in a language like Python,
    regular users won't be able to use the Python interpreter to run it, and
    the Python programs that we write won't be very useful. Some of us want
    to install a second interpreter that's been secured somewhat so that
    people can run our programs without being able to execute arbitrary
    Python programs.

    You are correct that nothing (in principle) prevents someone from
    installing another Python interpreter in $HOME/bin and running whatever
    they want. In fact, that's kind of what *we're* doing. But since I
    neither make nor enforce the rules, it isn't my problem if other people
    try to break them.

    Basically, I need to do this for bureaucratic reasons. I know it's a
    hack, and that it sounds like a stupid thing to do, but it's the best
    available option for us....

    Thanks for the reply,

    Steve
    Stephen VanDahm, Jul 15, 2003
    #3
  4. Stephen VanDahm

    Peter Hansen Guest

    Stephen VanDahm wrote:
    >
    > I'm looking for a way to install Python on a UNIX machine in a way such
    > that any user on the system can use it, but only to execute scripts that
    > are located in a certain directory. I do not have root access on the
    > machine that will be running Python, so my options are limited. I thought
    > about hacking the Python interpreter itself so that it will examine the
    > argument array and exit with an error if the script to be executed isn't
    > in the appropriate directory, but this seems pretty risky. The module
    > 'site.py' is imported automatically upon initialization -- I've thought of
    > adding the check there instead. I don't think either of these solutions
    > are very elegant. Is there a better way?


    You want something this freaky, *and* you want it elegant?! :)

    Anyway, just go with site.py. Judging by the name, it's perfectly suited
    for the task.

    Of course, you know about the -S option, don't you? And PYTHONPATH?
    And PYTHONHOME? And someone installing their own interpreter? And....

    -Peter
    Peter Hansen, Jul 15, 2003
    #4
  5. Stephen VanDahm

    Jeff Epler Guest

    I've never tried to set up a "secure" unix system, in the sense that
    users will only be allowed to execute certain commands. However there
    are any number of secure/restricted shells.

    I suspect that if you use one of these, you can get what you want. For
    instance, you would have /usr/bin forbidden, and /usr/safebin permitted.
    In /usr/safebin/pyscript you'd lead off with "#!/usr/bin/python -E".
    "-E" prevents Python from obeying environment variables like
    PYTHONPATH, PYTHONHOME, and PYTHONINSPECT, all of which can let the user
    "sneak" code in to be executed.

    Of course, you have to be sure that the individual python scripts are
    "secure" also. For instance, the following one *isn't*:
    #!/usr/bin/python -E
    # Print prime factors of a number (like /usr/bin/factor)
    import sys, math
    for arg in sys.argv[1:]:
    num = eval(arg)

    print "%d:" % num,
    i=2
    while num != 1:
    while num % i == 0:
    print i,
    num = num / i
    i=i+1
    print
    using eval() is the reason, in case you didn't catch it, but there are
    more subtle ways to write Python programs that let the user do arbitrary
    things. For instance, if a program uses pickle and lets the user alter
    the pickle's contents, the user can execute arbitrary code. If there's
    a bug in the C program that implements the Python interpreter or any
    extension module, the user might be able to arrange to "smash the stack"
    and do the same thing. Whether these things really matter depend on
    how secure your multi-user system needs to be. (this last type of attack
    could be true of any program, though, not just Python)

    Jeff
    Jeff Epler, Jul 16, 2003
    #5
  6. Stephen VanDahm <> wrote in message news:<>...
    > I'm looking for a way to install Python on a UNIX machine in a way such
    > that any user on the system can use it, but only to execute scripts that
    > are located in a certain directory. I do not have root access on the
    > machine that will be running Python, so my options are limited. I thought
    > about hacking the Python interpreter itself so that it will examine the
    > argument array and exit with an error if the script to be executed isn't
    > in the appropriate directory, but this seems pretty risky. The module
    > 'site.py' is imported automatically upon initialization -- I've thought of
    > adding the check there instead. I don't think either of these solutions
    > are very elegant. Is there a better way?
    >
    > Thanks for your time,
    >
    > Steve VanDahm
    >


    Hi,
    Hacking the interpreter seems like overkill. Why not just set up a
    shell script containing the names of the allowed python scripts, and
    execute it from there.
    for example:

    #!/usr/bin/sh

    if "$1" in myscript1.py myscript2.py ....;
    then
    . /usr/bin/env python "$1"
    else
    echo "You can't execute that script."
    fi

    My shell scripting is a little rusty so there may be some errors, but
    I hope you get the general idea.

    Hope it's useful,

    Vinoo
    Vinoo Vasudevan, Jul 17, 2003
    #6
  7. Steven Taschuk <> wrote in message news:<>...
    > Quoth Mel Wilson:
    > > seem to recall there are complications with suid on scripts
    > > .. though I don't recall what they are.

    >
    > A simple example: Let the file insecure_script contain
    > #!/bin/sh
    > grep 'f.*bar' $*
    > This script must not be made setuid-root. Consider:
    > $ cat >grep
    > #!/bin/sh
    > cp /etc/shadow . && chmod 0666 ./shadow
    > ^D
    > $ chmod +x ./grep
    > $ export PATH=.:$PATH
    > $ insecure_script
    >
    > You could deal with this particular problem by using absolute path
    > names for everything in the script, and/or by setting $PATH in the
    > script itself. [clip]


    I didn't see this post before I posted the one with the naive shell
    script. As clear as I can make it, the problem seems to be two-fold :-
    Not allowing normal users to access the python interpreter directly,
    and making sure they run only a certain set of scripts.
    One solution that may work is to set up the interpreter so that _only_
    you have read and execute permissions(maybe installing it in your home
    directory), and then putting a shell script which has your UID but has
    read and execute permissions for all users in a commonly accessible
    place. The path to the interpreter and the python scripts must be
    absolute in this script to avoid security problems as mentioned
    above.

    Hope this works,
    Vinoo
    Vinoo Vasudevan, Jul 17, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Steffen Kunze
    Replies:
    2
    Views:
    391
    Steffen Kunze
    Jul 28, 2004
  2. Philippe C. Martin

    parsing pyton code

    Philippe C. Martin, Nov 6, 2004, in forum: Python
    Replies:
    1
    Views:
    343
    Jean Brouwers
    Nov 6, 2004
  3. mike
    Replies:
    3
    Views:
    449
    Christopher De Vries
    Feb 1, 2005
  4. Mark de+la+Fuente

    Is pyton for me?

    Mark de+la+Fuente, Jun 10, 2005, in forum: Python
    Replies:
    11
    Views:
    755
    Mike Meyer
    Jun 11, 2005
  5. Daniel Nogradi
    Replies:
    0
    Views:
    410
    Daniel Nogradi
    May 4, 2006
Loading...

Share This Page