Re: Reg secure python environment with web terminal emulator
Lakshmipathi.G lakshmipath...@gmail.com writes: Could you please share more info about creating raw binary executable and its potential problem. In an earlier message, you reported to have banned gcc to avoid C level exploits. A raw binary executable would allow the same exploits. Think of a binary generated elsewhere (where gcc is available) and put into your environment. I am convinced that 100 % security is impossible - and correspondingly would use a pragmatic approach: I would rely on OS level constraints (user with very restricted rights, process running in an isolated box) - and ensure the OS is kept up to date to reduce the risk of exploits of OS security weaknesses. -- http://mail.python.org/mailman/listinfo/python-list
Re: Reg secure python environment with web terminal emulator
the same exploits. Think of a binary generated elsewhere (where gcc is available) and put into your environment. That's pretty bad news :( I am convinced that 100 % security is impossible - and correspondingly would use a pragmatic approach: I would rely on OS level constraints (user with very restricted rights, process running in an isolated box) - and ensure the OS is kept up to date to reduce the risk of exploits of OS security weaknesses. Yes,agree 100% security will never be possible. I'll explore about running process as an isolated box. Thanks for the suggestions and inputs. -- Cheers, Lakshmipathi.G FOSS Programmer. www.giis.co.in -- http://mail.python.org/mailman/listinfo/python-list
Re: Reg secure python environment with web terminal emulator
Lakshmipathi.G lakshmipath...@gmail.com writes: We have a server running a web-based terminal emulator (based on shellinabox for screen-casting check www.webminal.org) that allows users to learn simple bash commands. This Linux environment secured by things like quota, selinux,ulimit etc Now some users are requesting python access. How to ensure python is executed in a restricted environment. I came across http://docs.python.org/2/library/restricted.html but it seems like disabled in 2.3. Any thoughts on how we can safely provide python access to users. When you are satisfied with the protection you have achieved for bash commands, those same protection might be sufficient for Python as well. I assume that you used operating system facilities to restrict what the (system) user can do on the operating system level: the same restriction would apply to the (same) user executing Python code. -- http://mail.python.org/mailman/listinfo/python-list
Re: Reg secure python environment with web terminal emulator
Hi - Thanks for the response. Yes, we used OS features to restrict the system user accounts. We don't allow gcc - this helped us to avoid kernel exploits via C code like : https://www.centos.org/modules/newbb/viewtopic.php?viewmode=flattopic_id=42827forum=59 https://bugzilla.redhat.com/show_bug.cgi?id=962792 We are concerned whether user may try C exploits via Python code and break the system. What's the minimal python set-up you would suggest? I'm thinking something like: 1- Uninstall python-devel packages 2- Remove easy_install or pip (any such install utilities) 3- Keep only very basic modules under /usr/lib/python/site-packages and delete the others. Thanks. -- Cheers, Lakshmipathi.G FOSS Programmer. www.giis.co.in On Wed, Aug 7, 2013 at 11:35 AM, dieter die...@handshake.de wrote: Lakshmipathi.G lakshmipath...@gmail.com writes: We have a server running a web-based terminal emulator (based on shellinabox for screen-casting check www.webminal.org) that allows users to learn simple bash commands. This Linux environment secured by things like quota, selinux,ulimit etc Now some users are requesting python access. How to ensure python is executed in a restricted environment. I came across http://docs.python.org/2/library/restricted.html but it seems like disabled in 2.3. Any thoughts on how we can safely provide python access to users. When you are satisfied with the protection you have achieved for bash commands, those same protection might be sufficient for Python as well. I assume that you used operating system facilities to restrict what the (system) user can do on the operating system level: the same restriction would apply to the (same) user executing Python code. -- http://mail.python.org/mailman/listinfo/python-list -- http://mail.python.org/mailman/listinfo/python-list
Re: Reg secure python environment with web terminal emulator
If you permit file I/O and anything that can spawn a process, it is possible to create a raw binary executable and trigger its execution. -- Yes,we permit file i/o with quota limits and spawning a process is allowed upto a limit. If I'm not wrong, we will be safe if user invokes subprocess or os.system('sudo') calls due to system constraints. Could you please share more info about creating raw binary executable and its potential problem. Thanks for your response. -- Cheers, Lakshmipathi.G FOSS Programmer. www.giis.co.in -- http://mail.python.org/mailman/listinfo/python-list