Commit | Line | Data |
---|---|---|
920dae64 AT |
1 | <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> |
2 | <html> | |
3 | <head> | |
4 | <link rel="STYLESHEET" href="lib.css" type='text/css' /> | |
5 | <link rel="SHORTCUT ICON" href="../icons/pyfav.png" type="image/png" /> | |
6 | <link rel='start' href='../index.html' title='Python Documentation Index' /> | |
7 | <link rel="first" href="lib.html" title='Python Library Reference' /> | |
8 | <link rel='contents' href='contents.html' title="Contents" /> | |
9 | <link rel='index' href='genindex.html' title='Index' /> | |
10 | <link rel='last' href='about.html' title='About this document...' /> | |
11 | <link rel='help' href='about.html' title='About this document...' /> | |
12 | <link rel="next" href="language.html" /> | |
13 | <link rel="prev" href="tkinter.html" /> | |
14 | <link rel="parent" href="lib.html" /> | |
15 | <link rel="next" href="module-rexec.html" /> | |
16 | <meta name='aesop' content='information' /> | |
17 | <title>17. Restricted Execution </title> | |
18 | </head> | |
19 | <body> | |
20 | <DIV CLASS="navigation"> | |
21 | <div id='top-navigation-panel' xml:id='top-navigation-panel'> | |
22 | <table align="center" width="100%" cellpadding="0" cellspacing="2"> | |
23 | <tr> | |
24 | <td class='online-navigation'><a rel="prev" title="16.6 Other Graphical User" | |
25 | href="other-gui-packages.html"><img src='../icons/previous.png' | |
26 | border='0' height='32' alt='Previous Page' width='32' /></A></td> | |
27 | <td class='online-navigation'><a rel="parent" title="Python Library Reference" | |
28 | href="lib.html"><img src='../icons/up.png' | |
29 | border='0' height='32' alt='Up One Level' width='32' /></A></td> | |
30 | <td class='online-navigation'><a rel="next" title="17.1 rexec " | |
31 | href="module-rexec.html"><img src='../icons/next.png' | |
32 | border='0' height='32' alt='Next Page' width='32' /></A></td> | |
33 | <td align="center" width="100%">Python Library Reference</td> | |
34 | <td class='online-navigation'><a rel="contents" title="Table of Contents" | |
35 | href="contents.html"><img src='../icons/contents.png' | |
36 | border='0' height='32' alt='Contents' width='32' /></A></td> | |
37 | <td class='online-navigation'><a href="modindex.html" title="Module Index"><img src='../icons/modules.png' | |
38 | border='0' height='32' alt='Module Index' width='32' /></a></td> | |
39 | <td class='online-navigation'><a rel="index" title="Index" | |
40 | href="genindex.html"><img src='../icons/index.png' | |
41 | border='0' height='32' alt='Index' width='32' /></A></td> | |
42 | </tr></table> | |
43 | <div class='online-navigation'> | |
44 | <b class="navlabel">Previous:</b> | |
45 | <a class="sectref" rel="prev" href="other-gui-packages.html">16.6 Other Graphical User</A> | |
46 | <b class="navlabel">Up:</b> | |
47 | <a class="sectref" rel="parent" href="lib.html">Python Library Reference</A> | |
48 | <b class="navlabel">Next:</b> | |
49 | <a class="sectref" rel="next" href="module-rexec.html">17.1 rexec </A> | |
50 | </div> | |
51 | <hr /></div> | |
52 | </DIV> | |
53 | <!--End of Navigation Panel--> | |
54 | ||
55 | <H1><A NAME="SECTION0019000000000000000000"></A><A NAME="restricted"></A> | |
56 | <BR> | |
57 | 17. Restricted Execution | |
58 | </H1> | |
59 | ||
60 | <P> | |
61 | <div class="warning"><b class="label">Warning:</b> | |
62 | ||
63 | In Python 2.3 these modules have been disabled due to various known | |
64 | and not readily fixable security holes. The modules are still | |
65 | documented here to help in reading old code that uses the | |
66 | <tt class="module">rexec</tt> and <tt class="module">Bastion</tt> modules. | |
67 | </div> | |
68 | ||
69 | <P> | |
70 | <em>Restricted execution</em> is the basic framework in Python that allows | |
71 | for the segregation of trusted and untrusted code. The framework is based on the | |
72 | notion that trusted Python code (a <em>supervisor</em>) can create a | |
73 | ``padded cell' (or environment) with limited permissions, and run the | |
74 | untrusted code within this cell. The untrusted code cannot break out | |
75 | of its cell, and can only interact with sensitive system resources | |
76 | through interfaces defined and managed by the trusted code. The term | |
77 | ``restricted execution'' is favored over ``safe-Python'' | |
78 | since true safety is hard to define, and is determined by the way the | |
79 | restricted environment is created. Note that the restricted | |
80 | environments can be nested, with inner cells creating subcells of | |
81 | lesser, but never greater, privilege. | |
82 | ||
83 | <P> | |
84 | An interesting aspect of Python's restricted execution model is that | |
85 | the interfaces presented to untrusted code usually have the same names | |
86 | as those presented to trusted code. Therefore no special interfaces | |
87 | need to be learned to write code designed to run in a restricted | |
88 | environment. And because the exact nature of the padded cell is | |
89 | determined by the supervisor, different restrictions can be imposed, | |
90 | depending on the application. For example, it might be deemed | |
91 | ``safe'' for untrusted code to read any file within a specified | |
92 | directory, but never to write a file. In this case, the supervisor | |
93 | may redefine the built-in <tt class="function">open()</tt> function so that it raises | |
94 | an exception whenever the <var>mode</var> parameter is <code>'w'</code>. It | |
95 | might also perform a <tt class="cfunction">chroot()</tt>-like operation on the | |
96 | <var>filename</var> parameter, such that root is always relative to some | |
97 | safe ``sandbox'' area of the filesystem. In this case, the untrusted | |
98 | code would still see an built-in <tt class="function">open()</tt> function in its | |
99 | environment, with the same calling interface. The semantics would be | |
100 | identical too, with <tt class="exception">IOError</tt>s being raised when the | |
101 | supervisor determined that an unallowable parameter is being used. | |
102 | ||
103 | <P> | |
104 | The Python run-time determines whether a particular code block is | |
105 | executing in restricted execution mode based on the identity of the | |
106 | <code>__builtins__</code> object in its global variables: if this is (the | |
107 | dictionary of) the standard <tt class="module"><a href="module-builtin.html">__builtin__</a></tt> module, | |
108 | the code is deemed to be unrestricted, else it is deemed to be | |
109 | restricted. | |
110 | ||
111 | <P> | |
112 | Python code executing in restricted mode faces a number of limitations | |
113 | that are designed to prevent it from escaping from the padded cell. | |
114 | For instance, the function object attribute <tt class="member">func_globals</tt> and | |
115 | the class and instance object attribute <tt class="member">__dict__</tt> are | |
116 | unavailable. | |
117 | ||
118 | <P> | |
119 | Two modules provide the framework for setting up restricted execution | |
120 | environments: | |
121 | ||
122 | <P> | |
123 | <table class='synopsistable' valign='baseline'> | |
124 | <tr class='oddrow'> | |
125 | <td><b><tt class='module'><a href='module-rexec.html'>rexec</a></tt></b></td> | |
126 | <td> </td> | |
127 | <td class='synopsis'>Basic restricted execution framework.</td></tr> | |
128 | <tr><td><b><tt class='module'><a href='module-Bastion.html'>Bastion</a></tt></b></td> | |
129 | <td> </td> | |
130 | <td class='synopsis'>Providing restricted access to objects.</td></tr> | |
131 | </table> | |
132 | ||
133 | <BR> | |
134 | <P> | |
135 | <div class="seealso"> | |
136 | <p class="heading">See Also:</p> | |
137 | ||
138 | <dl compact="compact" class="seetitle"> | |
139 | <dt><em class="citetitle"><a href="http://grail.sourceforge.net/" | |
140 | >Grail Home Page</a></em></dt> | |
141 | <dd>Grail, an Internet browser written in Python, uses these | |
142 | modules to support Python applets. More | |
143 | information on the use of Python's restricted execution | |
144 | mode in Grail is available on the Web site.</dd> | |
145 | </dl> | |
146 | </div> | |
147 | ||
148 | <DIV CLASS="navigation"> | |
149 | <div class='online-navigation'> | |
150 | <p></p><hr /> | |
151 | <table align="center" width="100%" cellpadding="0" cellspacing="2"> | |
152 | <tr> | |
153 | <td class='online-navigation'><a rel="prev" title="16.6 Other Graphical User" | |
154 | href="other-gui-packages.html"><img src='../icons/previous.png' | |
155 | border='0' height='32' alt='Previous Page' width='32' /></A></td> | |
156 | <td class='online-navigation'><a rel="parent" title="Python Library Reference" | |
157 | href="lib.html"><img src='../icons/up.png' | |
158 | border='0' height='32' alt='Up One Level' width='32' /></A></td> | |
159 | <td class='online-navigation'><a rel="next" title="17.1 rexec " | |
160 | href="module-rexec.html"><img src='../icons/next.png' | |
161 | border='0' height='32' alt='Next Page' width='32' /></A></td> | |
162 | <td align="center" width="100%">Python Library Reference</td> | |
163 | <td class='online-navigation'><a rel="contents" title="Table of Contents" | |
164 | href="contents.html"><img src='../icons/contents.png' | |
165 | border='0' height='32' alt='Contents' width='32' /></A></td> | |
166 | <td class='online-navigation'><a href="modindex.html" title="Module Index"><img src='../icons/modules.png' | |
167 | border='0' height='32' alt='Module Index' width='32' /></a></td> | |
168 | <td class='online-navigation'><a rel="index" title="Index" | |
169 | href="genindex.html"><img src='../icons/index.png' | |
170 | border='0' height='32' alt='Index' width='32' /></A></td> | |
171 | </tr></table> | |
172 | <div class='online-navigation'> | |
173 | <b class="navlabel">Previous:</b> | |
174 | <a class="sectref" rel="prev" href="other-gui-packages.html">16.6 Other Graphical User</A> | |
175 | <b class="navlabel">Up:</b> | |
176 | <a class="sectref" rel="parent" href="lib.html">Python Library Reference</A> | |
177 | <b class="navlabel">Next:</b> | |
178 | <a class="sectref" rel="next" href="module-rexec.html">17.1 rexec </A> | |
179 | </div> | |
180 | </div> | |
181 | <hr /> | |
182 | <span class="release-info">Release 2.4.2, documentation updated on 28 September 2005.</span> | |
183 | </DIV> | |
184 | <!--End of Navigation Panel--> | |
185 | <ADDRESS> | |
186 | See <i><a href="about.html">About this document...</a></i> for information on suggesting changes. | |
187 | </ADDRESS> | |
188 | </BODY> | |
189 | </HTML> |