> I realize rexec will not be coming back. I don't need full rexec, I have a > much simpler requirement - I don't want the python interpreter to have > access to the system. The embedding app (Daedalus) handles feeding in of > modules and content through Py_CompileString and PyImport_ExecCodeModule, > as well as building local namespaces in which the code is run. Any access > to the embedding system is through custom data types and extension modules. > > My point is that none of the system builtins or major modules are used - and > those builtins and modules are what allow the user to access and corrupt the > system. While much of the builtins are still needed (basic data types, etc) > most of the built-in functions such as filesystem and systemcalls are > liabilities. They could play with the file system, manipulate the system, > and do other things. So, my question is this: is there any way to compile > Python as a true standalone? That is, the only access to the system is > through extension modules? I can't find any documentation on how to control > what builtin modules and functions are compiled in with Python. > > Is there any interest in such a project? Or, if I develop this myself > (although I have no idea how secure it could be - I don't know the builtins > very well) would be any interest in makign a patch/PEP of it? This sort of > thing would be a boon to anyone embedding python. I believe many embedded > apps could use this sort of feature (at the very least to keep the bloat > down). Well, in standard Python, the only access to the system is *also* through extension modules -- if you count __builtin__ as an extension module. The other extension module you want to avoid is the posix module (under Windows, the nt module). It should be a simple matter to remove this from your module search path. If you are right that you don't need access to the few builtins that can do system calls at all (I think it's just open and file, but you may want to check), you can simply delete them from the __builtin__ module at the start. I would delete remove as well, since remove(__builtin__) brings deleted builtins back to life. And you'd have to provide an __import__ replacement that restricts what you can import; but again you can do that at the start, before running any untrusted code. Is this clear, or do you need more explanation? (PS: sorry for the empty email I sent you before. My fingers slipped.) --Guido van Rossum (home page: http://www.python.org/~guido/)
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4