Building a "safe" python?

martin.nordstrom87 · Mar 27, 2008

I'm making a game where you'll be able to make your own mods and I
want to be able to write these mods in python. However, python has a
lot of "dangerous" functions (like erase any file on the harddrive
etc) so I want a "safe" python. I first found RExec but that is
disabled in python 2.5 so I was thinking about building python from
source with a few changes.
The changes I was thinking about was to change the import function so
that it should only be able to import the .pyd-files that I allow (and
it should of course still be able to import any .py-file) and remove
or change the builtin functions that are "dangerous".
Is this enough to make a "safe" python that can't do anything
"dangerous"?

I'm going to embed this "safe" python into my game and I've discovered
that when I embed the original python and the mod wants to import
a .py-file that is not in the game directory it will search for
the .py-file in the python directory that is installed on my computer.
Can I somehow prevent the embedded python to look in the python
directory?

Thanks!
Martin

Gabriel Genellina · Mar 27, 2008

I'm making a game where you'll be able to make your own mods and I
want to be able to write these mods in python. However, python has a
lot of "dangerous" functions (like erase any file on the harddrive
etc) so I want a "safe" python. I first found RExec but that is
disabled in python 2.5 so I was thinking about building python from
source with a few changes.
The changes I was thinking about was to change the import function so
that it should only be able to import the .pyd-files that I allow (and
it should of course still be able to import any .py-file) and remove
or change the builtin functions that are "dangerous".
Is this enough to make a "safe" python that can't do anything
"dangerous"?

No, and that's the reason for rexec/bastion removal. There are several
ways to circumvent it. By example, if the user can get access to a file
object, he can open any other file using type(f)("anyotherfile"). If he
can get an object defined in your code:

py> type(x).some_method.func_globals['__builtins__'].__import__
<built-in function __import__>

and then import anything.

I think that a highly reputed Python developer made some time ago a really
safe version and nobody could spot any holes, but I can't find the
reference.

I'm going to embed this "safe" python into my game and I've discovered
that when I embed the original python and the mod wants to import
a .py-file that is not in the game directory it will search for
the .py-file in the python directory that is installed on my computer.
Can I somehow prevent the embedded python to look in the python
directory?

Python looks along sys.path for importing things. Sorry but if you don't
know that you shouldn't try to build a safe Python version on your own -
at least you should have a lot of doubts that it is actually safe.

Terry Reedy · Mar 27, 2008

| I'm making a game where you'll be able to make your own mods and I
| want to be able to write these mods in python. However, python has a
| lot of "dangerous" functions (like erase any file on the harddrive
| etc) so I want a "safe" python. I first found RExec but that is
| disabled in python 2.5 so I was thinking about building python from
| source with a few changes.

There are modable commercial games, such as CIV4 I believe, that use Python
as the scripting language for both the authors and modders. I presume they
use customized interpreters, without the open and file builtins and
process, socket, etc modules, and probably a customized import. But I have
never seen an article or report on exactly what changes there are.

There is also the question of what to about 'hang up' code like 'while
True: pass', but that is less a concern for a game run on home machines
than a web server. Anyone doing that could be blackballed from the mod
distribution site without having trashed anyone's system.

tjr

Richard Jones · Mar 29, 2008

I'm making a game where you'll be able to make your own mods and I
want to be able to write these mods in python.

Check out tinypy:

http://www.philhassey.com/blog/category/tinypy/

Richard

Paul Rubin · Mar 29, 2008

Richard Jones said:
Check out tinypy:
http://www.philhassey.com/blog/category/tinypy/

I don't really understand the point of it.

See also: http://hedgehog.oliotalo.fi/

Steven D'Aprano · Mar 29, 2008

Richard Jones said:
Richard Jones said:

Check out tinypy:
http://www.philhassey.com/blog/category/tinypy/

Click to expand...

I don't really understand the point of it.

http://www.philhassey.com/blog/tinypy-ideas/

Sandbox tinypy
Objective: to secure tinypy so that it can be run safely run any
arbitrary python code
Remove dangerous functions
Enable a memory limit
Enable an execution time limit
Discover security related bugs and fix them

Suggestions on building an AI?	0	Oct 4, 2022
Error while building Python doc	0	Dec 22, 2013
Building a program that can enter data into a field	3	Aug 18, 2022
Python battle game help	2	Feb 23, 2023
Python Art Project	0	Apr 7, 2022
Building importable _tkinter on Windows	0	Mar 10, 2013
How to go about building a crud app when you are a noob	1	Jan 2, 2023
SOLVE THIS IF YOU CAN PYTHON MASTER	7	Jan 30, 2023

Building a "safe" python?

martin.nordstrom87

Gabriel Genellina

Terry Reedy

Richard Jones

Paul Rubin

Steven D'Aprano

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads