Le mar. 26 févr. 2019 à 22:24, Gregory P. Smith <g...@krypto.org> a écrit : > A feature that I find missing from posix-y OSes that support #! lines is an > ability to restrict what can use a given interpreter.
Fedora runs system tools (like "/usr/bin/semanage", tool to manager SELinux) with "python3 -Es": $ head /usr/sbin/semanage #! /usr/bin/python3 -Es -E: ignore PYTHON* environment variables (such as PYTHONPATH) -s: don't add user site directory to sys.path Is it what you mean? > Such a restriction could be implemented within the interpreter itself. For > example: Say that only this set of fully qualified path whitelisted .py files > are allowed to invoke it, with no interactive, stdin, or command line "-c" > use allowed. I'm not aware of anyone actually having done that. It's hard > to see how to do that in a maintainable manner that people using many distros > wouldn't just naively work around by adding themselves to the whitelist > rather than providing their own interpreter for their own software stack. It > feels more doable without workarounds for something like macOS or any other > distro wholly controlled and maintained as a single set of software rather > than a widely varying packages. Technically, Python initialization is highly customizable: see _PyCoreConfig in Include/coreconfig.h. But we lack a public API for that :-) https://www.python.org/dev/peps/pep-0432/ is a work-in-progress. With a proper public API, building your own interpreter would take a few lines of C to give you fine control on what Python can do or not. Extract of Programs/_freeze_importlib.c (give you an idea of what can be done): --- _PyCoreConfig config = _PyCoreConfig_INIT; config.user_site_directory = 0; config.site_import = 0; config.use_environment = 0; config.program_name = L"./_freeze_importlib"; /* Don't install importlib, since it could execute outdated bytecode. */ config._install_importlib = 0; config._frozen = 1; _PyInitError err = _Py_InitializeFromConfig(&config); --- As Petr wrote below, RHEL 8 has a private /usr/libexec/platform-python which is the Python used to run system tools (written in Python). But this Python isn't customized. I'm not sure that there is a strong need to customize Python default configuration for this interpreter. Note: Sorry to hijack again this thread with unrelated discussions :-( Victor -- Night gathers, and now my watch begins. It shall not end until my death. _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
