| 1 | <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> |
| 2 | <html> |
| 3 | <head> |
| 4 | <link rel="STYLESHEET" href="lib.css" type='text/css' /> |
| 5 | <link rel="SHORTCUT ICON" href="../icons/pyfav.png" type="image/png" /> |
| 6 | <link rel='start' href='../index.html' title='Python Documentation Index' /> |
| 7 | <link rel="first" href="lib.html" title='Python Library Reference' /> |
| 8 | <link rel='contents' href='contents.html' title="Contents" /> |
| 9 | <link rel='index' href='genindex.html' title='Index' /> |
| 10 | <link rel='last' href='about.html' title='About this document...' /> |
| 11 | <link rel='help' href='about.html' title='About this document...' /> |
| 12 | <link rel="next" href="module-Bastion.html" /> |
| 13 | <link rel="prev" href="restricted.html" /> |
| 14 | <link rel="parent" href="restricted.html" /> |
| 15 | <link rel="next" href="rexec-objects.html" /> |
| 16 | <meta name='aesop' content='information' /> |
| 17 | <title>17.1 rexec -- Restricted execution framework</title> |
| 18 | </head> |
| 19 | <body> |
| 20 | <DIV CLASS="navigation"> |
| 21 | <div id='top-navigation-panel' xml:id='top-navigation-panel'> |
| 22 | <table align="center" width="100%" cellpadding="0" cellspacing="2"> |
| 23 | <tr> |
| 24 | <td class='online-navigation'><a rel="prev" title="17. Restricted Execution" |
| 25 | href="restricted.html"><img src='../icons/previous.png' |
| 26 | border='0' height='32' alt='Previous Page' width='32' /></A></td> |
| 27 | <td class='online-navigation'><a rel="parent" title="17. Restricted Execution" |
| 28 | href="restricted.html"><img src='../icons/up.png' |
| 29 | border='0' height='32' alt='Up One Level' width='32' /></A></td> |
| 30 | <td class='online-navigation'><a rel="next" title="17.1.1 RExec Objects" |
| 31 | href="rexec-objects.html"><img src='../icons/next.png' |
| 32 | border='0' height='32' alt='Next Page' width='32' /></A></td> |
| 33 | <td align="center" width="100%">Python Library Reference</td> |
| 34 | <td class='online-navigation'><a rel="contents" title="Table of Contents" |
| 35 | href="contents.html"><img src='../icons/contents.png' |
| 36 | border='0' height='32' alt='Contents' width='32' /></A></td> |
| 37 | <td class='online-navigation'><a href="modindex.html" title="Module Index"><img src='../icons/modules.png' |
| 38 | border='0' height='32' alt='Module Index' width='32' /></a></td> |
| 39 | <td class='online-navigation'><a rel="index" title="Index" |
| 40 | href="genindex.html"><img src='../icons/index.png' |
| 41 | border='0' height='32' alt='Index' width='32' /></A></td> |
| 42 | </tr></table> |
| 43 | <div class='online-navigation'> |
| 44 | <b class="navlabel">Previous:</b> |
| 45 | <a class="sectref" rel="prev" href="restricted.html">17. Restricted Execution</A> |
| 46 | <b class="navlabel">Up:</b> |
| 47 | <a class="sectref" rel="parent" href="restricted.html">17. Restricted Execution</A> |
| 48 | <b class="navlabel">Next:</b> |
| 49 | <a class="sectref" rel="next" href="rexec-objects.html">17.1.1 RExec Objects</A> |
| 50 | </div> |
| 51 | <hr /></div> |
| 52 | </DIV> |
| 53 | <!--End of Navigation Panel--> |
| 54 | |
| 55 | <H1><A NAME="SECTION0019100000000000000000"> |
| 56 | 17.1 <tt class="module">rexec</tt> -- |
| 57 | Restricted execution framework</A> |
| 58 | </H1> |
| 59 | |
| 60 | <P> |
| 61 | <A NAME="module-rexec"></A> |
| 62 | |
| 63 | <span class="versionnote">Changed in version 2.3: |
| 64 | Disabled module.</span> |
| 65 | |
| 66 | <P> |
| 67 | <div class="warning"><b class="label">Warning:</b> |
| 68 | |
| 69 | The documentation has been left in place to help in reading old code |
| 70 | that uses the module. |
| 71 | </div> |
| 72 | |
| 73 | <P> |
| 74 | This module contains the <tt class="class">RExec</tt> class, which supports |
| 75 | <tt class="method">r_eval()</tt>, <tt class="method">r_execfile()</tt>, <tt class="method">r_exec()</tt>, and |
| 76 | <tt class="method">r_import()</tt> methods, which are restricted versions of the standard |
| 77 | Python functions <tt class="method">eval()</tt>, <tt class="method">execfile()</tt> and |
| 78 | the <tt class="keyword">exec</tt> and <tt class="keyword">import</tt> statements. |
| 79 | Code executed in this restricted environment will |
| 80 | only have access to modules and functions that are deemed safe; you |
| 81 | can subclass <tt class="class">RExec</tt> to add or remove capabilities as desired. |
| 82 | |
| 83 | <P> |
| 84 | <div class="warning"><b class="label">Warning:</b> |
| 85 | |
| 86 | While the <tt class="module">rexec</tt> module is designed to perform as described |
| 87 | below, it does have a few known vulnerabilities which could be |
| 88 | exploited by carefully written code. Thus it should not be relied |
| 89 | upon in situations requiring ``production ready'' security. In such |
| 90 | situations, execution via sub-processes or very careful |
| 91 | ``cleansing'' of both code and data to be processed may be |
| 92 | necessary. Alternatively, help in patching known <tt class="module">rexec</tt> |
| 93 | vulnerabilities would be welcomed. |
| 94 | </div> |
| 95 | |
| 96 | <P> |
| 97 | <div class="note"><b class="label">Note:</b> |
| 98 | The <tt class="class">RExec</tt> class can prevent code from performing unsafe |
| 99 | operations like reading or writing disk files, or using TCP/IP |
| 100 | sockets. However, it does not protect against code using extremely |
| 101 | large amounts of memory or processor time. |
| 102 | </div> |
| 103 | |
| 104 | <P> |
| 105 | <dl><dt><table cellpadding="0" cellspacing="0"><tr valign="baseline"> |
| 106 | <td><nobr><b><span class="typelabel">class</span> <tt id='l2h-4913' xml:id='l2h-4913' class="class">RExec</tt></b>(</nobr></td> |
| 107 | <td><var></var><big>[</big><var>hooks</var><big>[</big><var>, verbose</var><big>]</big><var></var><big>]</big><var></var>)</td></tr></table></dt> |
| 108 | <dd> |
| 109 | Returns an instance of the <tt class="class">RExec</tt> class. |
| 110 | |
| 111 | <P> |
| 112 | <var>hooks</var> is an instance of the <tt class="class">RHooks</tt> class or a subclass of it. |
| 113 | If it is omitted or <code>None</code>, the default <tt class="class">RHooks</tt> class is |
| 114 | instantiated. |
| 115 | Whenever the <tt class="module">rexec</tt> module searches for a module (even a |
| 116 | built-in one) or reads a module's code, it doesn't actually go out to |
| 117 | the file system itself. Rather, it calls methods of an <tt class="class">RHooks</tt> |
| 118 | instance that was passed to or created by its constructor. (Actually, |
| 119 | the <tt class="class">RExec</tt> object doesn't make these calls -- they are made by |
| 120 | a module loader object that's part of the <tt class="class">RExec</tt> object. This |
| 121 | allows another level of flexibility, which can be useful when changing |
| 122 | the mechanics of <tt class="keyword">import</tt> within the restricted environment.) |
| 123 | |
| 124 | <P> |
| 125 | By providing an alternate <tt class="class">RHooks</tt> object, we can control the |
| 126 | file system accesses made to import a module, without changing the |
| 127 | actual algorithm that controls the order in which those accesses are |
| 128 | made. For instance, we could substitute an <tt class="class">RHooks</tt> object that |
| 129 | passes all filesystem requests to a file server elsewhere, via some |
| 130 | RPC mechanism such as ILU. Grail's applet loader uses this to support |
| 131 | importing applets from a URL for a directory. |
| 132 | |
| 133 | <P> |
| 134 | If <var>verbose</var> is true, additional debugging output may be sent to |
| 135 | standard output. |
| 136 | </dl> |
| 137 | |
| 138 | <P> |
| 139 | It is important to be aware that code running in a restricted |
| 140 | environment can still call the <tt class="function">sys.exit()</tt> function. To |
| 141 | disallow restricted code from exiting the interpreter, always protect |
| 142 | calls that cause restricted code to run with a |
| 143 | <tt class="keyword">try</tt>/<tt class="keyword">except</tt> statement that catches the |
| 144 | <tt class="exception">SystemExit</tt> exception. Removing the <tt class="function">sys.exit()</tt> |
| 145 | function from the restricted environment is not sufficient -- the |
| 146 | restricted code could still use <code>raise SystemExit</code>. Removing |
| 147 | <tt class="exception">SystemExit</tt> is not a reasonable option; some library code |
| 148 | makes use of this and would break were it not available. |
| 149 | |
| 150 | <P> |
| 151 | <div class="seealso"> |
| 152 | <p class="heading">See Also:</p> |
| 153 | |
| 154 | <dl compact="compact" class="seetitle"> |
| 155 | <dt><em class="citetitle"><a href="http://grail.sourceforge.net/" |
| 156 | >Grail Home Page</a></em></dt> |
| 157 | <dd>Grail is a |
| 158 | Web browser written entirely in Python. It uses the |
| 159 | <tt class="module">rexec</tt> module as a foundation for supporting |
| 160 | Python applets, and can be used as an example usage of |
| 161 | this module.</dd> |
| 162 | </dl> |
| 163 | </div> |
| 164 | |
| 165 | <P> |
| 166 | |
| 167 | <p><br /></p><hr class='online-navigation' /> |
| 168 | <div class='online-navigation'> |
| 169 | <!--Table of Child-Links--> |
| 170 | <A NAME="CHILD_LINKS"><STRONG>Subsections</STRONG></a> |
| 171 | |
| 172 | <UL CLASS="ChildLinks"> |
| 173 | <LI><A href="rexec-objects.html">17.1.1 RExec Objects</a> |
| 174 | <LI><A href="rexec-extension.html">17.1.2 Defining restricted environments</a> |
| 175 | <LI><A href="node763.html">17.1.3 An example</a> |
| 176 | </ul> |
| 177 | <!--End of Table of Child-Links--> |
| 178 | </div> |
| 179 | |
| 180 | <DIV CLASS="navigation"> |
| 181 | <div class='online-navigation'> |
| 182 | <p></p><hr /> |
| 183 | <table align="center" width="100%" cellpadding="0" cellspacing="2"> |
| 184 | <tr> |
| 185 | <td class='online-navigation'><a rel="prev" title="17. Restricted Execution" |
| 186 | href="restricted.html"><img src='../icons/previous.png' |
| 187 | border='0' height='32' alt='Previous Page' width='32' /></A></td> |
| 188 | <td class='online-navigation'><a rel="parent" title="17. Restricted Execution" |
| 189 | href="restricted.html"><img src='../icons/up.png' |
| 190 | border='0' height='32' alt='Up One Level' width='32' /></A></td> |
| 191 | <td class='online-navigation'><a rel="next" title="17.1.1 RExec Objects" |
| 192 | href="rexec-objects.html"><img src='../icons/next.png' |
| 193 | border='0' height='32' alt='Next Page' width='32' /></A></td> |
| 194 | <td align="center" width="100%">Python Library Reference</td> |
| 195 | <td class='online-navigation'><a rel="contents" title="Table of Contents" |
| 196 | href="contents.html"><img src='../icons/contents.png' |
| 197 | border='0' height='32' alt='Contents' width='32' /></A></td> |
| 198 | <td class='online-navigation'><a href="modindex.html" title="Module Index"><img src='../icons/modules.png' |
| 199 | border='0' height='32' alt='Module Index' width='32' /></a></td> |
| 200 | <td class='online-navigation'><a rel="index" title="Index" |
| 201 | href="genindex.html"><img src='../icons/index.png' |
| 202 | border='0' height='32' alt='Index' width='32' /></A></td> |
| 203 | </tr></table> |
| 204 | <div class='online-navigation'> |
| 205 | <b class="navlabel">Previous:</b> |
| 206 | <a class="sectref" rel="prev" href="restricted.html">17. Restricted Execution</A> |
| 207 | <b class="navlabel">Up:</b> |
| 208 | <a class="sectref" rel="parent" href="restricted.html">17. Restricted Execution</A> |
| 209 | <b class="navlabel">Next:</b> |
| 210 | <a class="sectref" rel="next" href="rexec-objects.html">17.1.1 RExec Objects</A> |
| 211 | </div> |
| 212 | </div> |
| 213 | <hr /> |
| 214 | <span class="release-info">Release 2.4.2, documentation updated on 28 September 2005.</span> |
| 215 | </DIV> |
| 216 | <!--End of Navigation Panel--> |
| 217 | <ADDRESS> |
| 218 | See <i><a href="about.html">About this document...</a></i> for information on suggesting changes. |
| 219 | </ADDRESS> |
| 220 | </BODY> |
| 221 | </HTML> |