Jakub Piotr Cłapa wrote:
And if you want to expose anything than you leave a way to go through your function to your module and than to anything you want.
Just to bring this into sharp focus, consider Python 2.3 (#1, Aug 5 2003, 15:52:30) [GCC 3.1 20020420 (prerelease)] on darwin Type "help", "copyright", "credits" or "license" for more information. >>> (3).__class__.__bases__[0].__subclasses__()[-3] <type 'file'> So you don't even have to import anything or refer to any names in the builtin namespace to wreak havoc.
That's the reason why restricted execution was withdrawn from the stdlib. Nobody seems to care about security enught to handle this (rather difficult) problem.
That's not entirely true -- there are efforts underway to come up with a new model for sandboxed execution. It'll probably be a while before anything usable comes out of that, though. As things are, the only way to be completely sure that the user's code can't mess anything up is to run it in a separate process. That has other advantages, too, such as being able to limit memory and CPU usage, which are also difficult or impossible to do within a single Python process. -- Greg