Re: Python CGI sandboxing advice (packaging of Online Python Tutor)
* Jakub Wilk jw...@debian.org, 2014-02-13, 00:27:
The CGI's code is supposed to be safeguarding against abuse,
The protection is not very good. (I'll disclose the details later.)
The exploit I had in mind was:
import re
from re import sys
imp = re.sys.modules['imp']
posix = imp.load_dynamic('', 'posix')
which gives you access to the goodies of the posix module. There's a
resource limit that prevents you from opening any file, but you can do
chmod(), chown(), remove(), rename(), kill(), …
Apparently this is now fixed:
https://github.com/pgbovine/OnlinePythonTutor/commit/eab7cb1c717a
I wouldn't be surprised if there were other clever ways to bypass OPT's
security restrictions, and upstream doesn't seem to confident about this
code either.
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-python-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140409121133.ga2...@jwilk.net
Re: Python CGI sandboxing advice (packaging of Online Python Tutor)
Hi.
Jakub Wilk jw...@debian.org writes:
* Jakub Wilk jw...@debian.org, 2014-02-13, 00:27:
The CGI's code is supposed to be safeguarding against abuse,
The protection is not very good. (I'll disclose the details later.)
The exploit I had in mind was:
import re
from re import sys
imp = re.sys.modules['imp']
posix = imp.load_dynamic('', 'posix')
which gives you access to the goodies of the posix module. There's a
resource limit that prevents you from opening any file, but you can do
chmod(), chown(), remove(), rename(), kill(), …
Apparently this is now fixed:
https://github.com/pgbovine/OnlinePythonTutor/commit/eab7cb1c717a
I wouldn't be surprised if there were other clever ways to bypass OPT's
security restrictions, and upstream doesn't seem to confident about this
code either.
Thanks for sharing this. I'll have to read about re.sys (WTF ?)...
FWIW, I've put a hold to my tests of packaging OPT, while I was
investigating the use of Docker for sandboxing Web apps in its
containers.
For instance, I've been playing with FusionForge's mediawiki (including
its PostgreSQL and Apache dependencies) in such an environment, and it
seems one possible way...
I'm not sure whether others have similar plans using Docker for
something that could be done the debian way. Probably deserves another
post.
Best regards,
--
Olivier BERGER
http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)
--
To UNSUBSCRIBE, email to debian-python-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/8738hmveul@inf-8660.int-evry.fr
Re: Python CGI sandboxing advice (packaging of Online Python Tutor)
* Olivier Berger olivier.ber...@telecom-sudparis.eu, 2014-02-10, 10:51: The CGI's code is supposed to be safeguarding against abuse, The protection is not very good. (I'll disclose the details later.) but I think some sandboxing would be better at the CGI invocation for additional security. Agreed. -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-python-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140212232736.ga21...@jwilk.net
Re: Python CGI sandboxing advice (packaging of Online Python Tutor)
Hi. I'm looking for advice on how to package the Online Python Tutor's backend server which can execute arbitrary Python scripts submitted by the user. The CGI's code is supposed to be safeguarding against abuse, but I think some sandboxing would be better at the CGI invocation for additional security. I forgot to CC: this list. Any advices (beyond Paul's) ? Thanks in advance. Best regards, Olivier Berger olivier.ber...@it-sudparis.eu writes: Hi. Paul Wise p...@debian.org writes: On Thu, Feb 6, 2014 at 8:43 AM, Paul Wise wrote: Which CGI are we talking about? Perhaps we can give more specific advice. I guess you mean Online Python Tutor (#737732). Damn BTS ;) Indeed, I was considering OPT. Looking at the git repo, it includes a lot of embedded code copies of various JavaScript libraries and other code. As per policy 4.13 those should be packaged separately. https://wiki.debian.org/EmbeddedCodeCopies Sure. I see some places where it uses os.system(). That should switch to using the subprocess module with shell disabled. The idea of this software is a bit concerning to me, it sounds like it runs arbitrary Python code on the server and passes the results back to the web. Exactly. I would suggest auditing it to ensure that it isn't one giant security hole. Please get CVEs for any issues that you find. http://oss-security.openwall.org/wiki/disclosure/cve Yes, it is indeed something that might be problematic. AFAICS for now, it uses a withelist of python modules that are allowed (see [0]). That looks safe at first sight, but I fear there could be some kind of exploits if the safe modules have flaws... I'm not an expert in Python code security so I'd welcome any advices. In this respect, I can see the benefit of running it over a PaaS solution like Google App Engine (which is advertized by upstream author's site) in this respect, given that those Python execution environments may naturally be sandboxed, etc. Maybe a CGI sandboxing solution could be advised, for running over a normal Debian system ? Thanks in advance. Best regards, [0] https://github.com/pgbovine/OnlinePythonTutor/blob/master/v3/pg_logger.py#L112 -- Olivier BERGER http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8 Ingenieur Recherche - Dept INF Institut Mines-Telecom, Telecom SudParis, Evry (France) -- To UNSUBSCRIBE, email to debian-python-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87ob2fgut3.fsf...@inf-8660.int-evry.fr
