I cant say I agree at all. Certainly there is a need for a 'safe'
langauge, but I dont see why all langauges should support a 'safe'
variant to be viable.
> Let me first state what the goal is here. Suppose I want to run a new
> kind of information server, where people can submit queries in the
> form of small scripts. Or I may want to run a MUD (Multi-User
> Dungeon) type of game where players can create their own objects
> (usable by others) by writing a small program or function that
> implements the object. Obviously, a language combining power and
> elegance, like Python, would be a good candidate for the language of
> such scripts, but I don't want them to remove my files. Therefore my
> server (which may also be written in Python) needs to limit the damage
> that user-supplied code can do.
>
> Some people would reply "the only safe way is to run it in a chroot'ed
> environment". That may be true, but chroot itself is restricted to
> root (and rightly so!) so only root can use this solution.
And the other alternative is to look at the existing solution, a
custom language. Modify the flavoring, and turn the safty crank, and
you turn Python into MOO.
> My questions right now are:
>
> - Do you have a need for this -- would you use it?
For the solution, but I woudlnt use the tool. I woudlnt 'trust' Python
for this for years.
> - Do you think it can be made safe enough?
No.
> - Are there holes in my approach?
>
> - Do you like my approach?
Not much, but its the only real option if you want to proceed this
way.
> - Can you think of a better name for guarded_exec()? (I don't like
> rexec since it sounds too much like remote exec.)
>
> - Do you know of any potentially unsafe situations (i.e. bugs :-)in
> the current Python code, like the recursion I mentioned in repr() and
> print?
Not that would fit in this mail.
> - Would you like to help implementing this? (In that case you'll need
> to provide a PGP key :-)
Why? Sounds like security through obscurity in action.
> - Anyone know enough about the approaches other languages are taking
> to summarize how they do it?
Not what you're asking, but "using existing langauges to interpret
unrelated secure langauges."
-- John Redford (AKA GArrow) | 3,600 hours of tape. jredford@lehman.com | 5 cans of Scotchguard.