Re: Safe-Python?

jredford@seelebrennt.lehman.com
Mon, 26 Sep 94 17:20:23 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Toni Veglia: "USENIX Very High Level Languages Symposium -Hotel Res. Deadline"
Previous message: Fred L Drake Jr: "Python + Stdwin + Tkinter on Linux"
In reply to: Guido.van.Rossum@cwi.nl: "Safe-Python?"
Next in thread: anthony baxter: "Re: Safe-Python?"

> The next generation of embeddable scripting languages will need to
> have the capability to restrict the danger prorams can do to the
> filesystem.

I cant say I agree at all. Certainly there is a need for a 'safe'
langauge, but I dont see why all langauges should support a 'safe'
variant to be viable.

> Let me first state what the goal is here. Suppose I want to run a new
> kind of information server, where people can submit queries in the
> form of small scripts. Or I may want to run a MUD (Multi-User
> Dungeon) type of game where players can create their own objects
> (usable by others) by writing a small program or function that
> implements the object. Obviously, a language combining power and
> elegance, like Python, would be a good candidate for the language of
> such scripts, but I don't want them to remove my files. Therefore my
> server (which may also be written in Python) needs to limit the damage
> that user-supplied code can do.
>
> Some people would reply "the only safe way is to run it in a chroot'ed
> environment". That may be true, but chroot itself is restricted to
> root (and rightly so!) so only root can use this solution.

And the other alternative is to look at the existing solution, a
custom language. Modify the flavoring, and turn the safty crank, and
you turn Python into MOO.

> My questions right now are:
>
> - Do you have a need for this -- would you use it?

For the solution, but I woudlnt use the tool. I woudlnt 'trust' Python
for this for years.

> - Do you think it can be made safe enough?

No.

> - Are there holes in my approach?
>
> - Do you like my approach?

Not much, but its the only real option if you want to proceed this
way.

> - Can you think of a better name for guarded_exec()? (I don't like
> rexec since it sounds too much like remote exec.)
>
> - Do you know of any potentially unsafe situations (i.e. bugs :-)in
> the current Python code, like the recursion I mentioned in repr() and
> print?

Not that would fit in this mail.

> - Would you like to help implementing this? (In that case you'll need
> to provide a PGP key :-)

Why? Sounds like security through obscurity in action.

> - Anyone know enough about the approaches other languages are taking
> to summarize how they do it?

Not what you're asking, but "using existing langauges to interpret
unrelated secure langauges."

--
John Redford (AKA GArrow) | 3,600 hours of tape.
jredford@lehman.com       | 5 cans of Scotchguard.

Next message: Toni Veglia: "USENIX Very High Level Languages Symposium -Hotel Res. Deadline"
Previous message: Fred L Drake Jr: "Python + Stdwin + Tkinter on Linux"
In reply to: Guido.van.Rossum@cwi.nl: "Safe-Python?"
Next in thread: anthony baxter: "Re: Safe-Python?"