Showing content from http://mail.python.org/pipermail/python-dev/attachments/20060706/52bc6eb9/attachment.htm below:
<br><br><div><span class="gmail_quote">On 7/6/06, <b class="gmail_sendername">Michael Chermside</b> <<a href="mailto:mcherm@mcherm.com">mcherm@mcherm.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Me:<br>> I agree. But we don't have to give up yet. How about instead of hiding<br>> file, we cripple it. Completely. Modify the file type so that when<br>> executing on a sandboxed interpreter, all of the dangerous methods
<br>> and attributes of file throw exceptions.<br><br>Brett:<br>> This is basically what I proposed in the first place! <runs around<br>> in circles, pulling at his hair like a crazy man><br><br>Not quite. Your original proposal had the file type throwing
<br>exceptions when the user did something they weren't allowed to<br>(access a file not on the list, etc). This version proposes that<br>it *always* fails, and creates a separate beast (the<br>SecureFileWrapper) for applying the restrictions. Why? Because
<br>if the C code in file enforces the rules, then all possible<br>rules need to be written in advance, and you have to hold long<br>arguments about whether to allow subdirectories, restrict file<br>sizes, etc. Whereas SecureFileWrapper could delegate its
<br>restrictions to Python functions provided by the USER and then<br>USERS could design whatever level of restriction they wanted.</blockquote><div><br>Ah, OK, that makes more sense. I was not thinking about allowing for specifying a factory function to return the specific object to use when using open(). That could be rather handy and cool. I will definitely see if I can work it into the API in a reasonable way.
<br><br>-Brett<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Imagine we want some code to be able to open files only if they<br>
contain the letter 'w':<br><br> # get my own wrapper from __builtins__<br> myFileWrapper = file<br><br> # define a function to constrain my callers<br> def filenameContainsLetterW(path, mode):<br> filename =
os.path.basename(path)<br> if 'w' not in filename and 'W' not in filename:<br> raise PyXXX_SecurityException<br><br> # create more restrictive wrapper<br> class MustHaveW_FileWrapper:<br> __metaclass__ = SecureFileWrapperMeta
<br> wrapped_file =<br> init_condition = filenameContainsLetterW<br><br> # register the wrapper so it applies to any code<br> # in this stack frame or lower. The restriction is<br> # automatically lifted when the current stack
<br> # frame exits.<br> PyXXX_RegisterFileWrapper( MustHaveW_FileWrapper )<br><br> # Invoke less-trusted code with restrictions in place<br> less_trusted_code()<br><br>If the code fragment shown above ALREADY received
<br>a wrapped form of file which was restricted to read-only<br>access, then less_trusted_code() would be restricted<br>to read-only access to files containing 'w'.<br><br>Okay, the syntax needs work, but the idea is that I can
<br>defin restrictions *in python* and apply them to other<br>code. Using the stack to enforce wrappers is something<br>Python code cannot get around (although it does prevent<br>passing more-powerful callbacks to later stackframes).
<br><br>It all depends on whether we think that a simple set<br>of restrictions implementable in C (such as 4 lists:<br>read-only files, read-write files, read-only dirs,<br>write-only dirs) will be sufficient, or if it is
<br>valuable to allow end users to fine-tune the<br>restrictions.<br><br>-- Michael Chermside<br><br></blockquote></div><br>
RetroSearch is an open source project built by @garambo
| Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4