On Sep 5, 2008, at 10:26 PM, Campbell Barton wrote:
from talking to the python guys sandboxing python is easy if you use the C api to overwrite builtins.(sandboxing issues arise from trying to sandbox python from within python)You'd need to replace pythons import function with one that checks only for files in a zip for instance. Or for starters you could disable import alltogether and only allow C modules and standalone scripts.
[..]I'm not sure who you spoke with about this, but from my experience Python is very difficult to effectively sandbox, in fact the official security methods (bastion and rexec) were famously disabled after gaping security holes were pointed out to GvR after descriptors were introduced to the language.
At Zope corp, we put a huge amount of effort into trying to run "trusted" python code securely, and there were always things lurking that needed to be dealt with. For example, you'll need to override the memory manager or else the following line of code will swap your machine to death:
" "*1000*1000*1000*1000You'd need to prevent scripts from dynamically modifying std functions and classes (or you'd need to run each app in it's own interpreter), the list goes on and on. It's much more difficult than it first appears.
-Casey