Hi,
Suppose that one wants to set up a machine to accept python code from, say, arbitrary email, and run it safely. Would the following (somewhat draconian) precautions be sufficient?
In short, no. Python's introspection capabilities kill you. There are too many ways to spell things to be certain all the loopholes are closed.
For instance, take a look at the result of:
type(sys.stdout)
Sure, you can add 'type' to the banned list, but eventually the banned list is so long, writing a useful program is damn near impossible. 'chr' and '__dict__', for instance, would almost certainly have to be on the banned list, otherwise:
key1 = ''.join([chr(x) for x in [95, 95, 98, 117, 105, 108, 116, 105, 110, 95, 95]])
key2 = ''.join([chr(x) for x in [102, 105, 108, 101]])
sys.modules[key1].__dict__[key2]
It isn't accidental that Bastion and rexec got deprecated - the developers just can't guarantee that the modules are actually providing adequate protection.
A chroot() jail, setuid() to some permission-less sandbox user and your monitoring daemon are likely to get you a lot further.
Regards, Nick.
P.S. Both examples above are bizarre ways of spelling 'file', for anyone who can't be bothered figuring it out.
--
http://mail.python.org/mailman/listinfo/python-list
