diff options
author | Fred Drake <fdrake@acm.org> | 1998-05-07 01:49:07 (GMT) |
---|---|---|
committer | Fred Drake <fdrake@acm.org> | 1998-05-07 01:49:07 (GMT) |
commit | cda63cc875f54b047018cad362aa23d5493b97f3 (patch) | |
tree | f43f888293bb4046a7622dffefd561b669e993c2 /Doc/librestricted.tex | |
parent | bbe33c559403c7e06642111c494bd32d9abe528f (diff) | |
download | cpython-cda63cc875f54b047018cad362aa23d5493b97f3.zip cpython-cda63cc875f54b047018cad362aa23d5493b97f3.tar.gz cpython-cda63cc875f54b047018cad362aa23d5493b97f3.tar.bz2 |
Relocating file to Doc/lib/
Diffstat (limited to 'Doc/librestricted.tex')
-rw-r--r-- | Doc/librestricted.tex | 79 |
1 files changed, 0 insertions, 79 deletions
diff --git a/Doc/librestricted.tex b/Doc/librestricted.tex deleted file mode 100644 index f78d7bb..0000000 --- a/Doc/librestricted.tex +++ /dev/null @@ -1,79 +0,0 @@ -\chapter{Restricted Execution} -\label{restricted} - -In general, Python programs have complete access to the underlying -operating system throug the various functions and classes, For -example, a Python program can open any file for reading and writing by -using the \code{open()} built-in function (provided the underlying OS -gives you permission!). This is exactly what you want for most -applications. - -There exists a class of applications for which this ``openness'' is -inappropriate. Take Grail: a web browser that accepts ``applets'', -snippets of Python code, from anywhere on the Internet for execution -on the local system. This can be used to improve the user interface -of forms, for instance. Since the originator of the code is unknown, -it is obvious that it cannot be trusted with the full resources of the -local machine. - -\emph{Restricted execution} is the basic framework in Python that allows -for the segregation of trusted and untrusted code. It is based on the -notion that trusted Python code (a \emph{supervisor}) can create a -``padded cell' (or environment) with limited permissions, and run the -untrusted code within this cell. The untrusted code cannot break out -of its cell, and can only interact with sensitive system resources -through interfaces defined and managed by the trusted code. The term -``restricted execution'' is favored over ``safe-Python'' -since true safety is hard to define, and is determined by the way the -restricted environment is created. Note that the restricted -environments can be nested, with inner cells creating subcells of -lesser, but never greater, privilege. - -An interesting aspect of Python's restricted execution model is that -the interfaces presented to untrusted code usually have the same names -as those presented to trusted code. Therefore no special interfaces -need to be learned to write code designed to run in a restricted -environment. And because the exact nature of the padded cell is -determined by the supervisor, different restrictions can be imposed, -depending on the application. For example, it might be deemed -``safe'' for untrusted code to read any file within a specified -directory, but never to write a file. In this case, the supervisor -may redefine the built-in -\code{open()} function so that it raises an exception whenever the -\var{mode} parameter is \code{'w'}. It might also perform a -\code{chroot()}-like operation on the \var{filename} parameter, such -that root is always relative to some safe ``sandbox'' area of the -filesystem. In this case, the untrusted code would still see an -built-in \code{open()} function in its environment, with the same -calling interface. The semantics would be identical too, with -\code{IOError}s being raised when the supervisor determined that an -unallowable parameter is being used. - -The Python run-time determines whether a particular code block is -executing in restricted execution mode based on the identity of the -\code{__builtins__} object in its global variables: if this is (the -dictionary of) the standard \code{__builtin__} module, the code is -deemed to be unrestricted, else it is deemed to be restricted. - -Python code executing in restricted mode faces a number of limitations -that are designed to prevent it from escaping from the padded cell. -For instance, the function object attribute \code{func_globals} and the -class and instance object attribute \code{__dict__} are unavailable. - -Two modules provide the framework for setting up restricted execution -environments: - -\begin{description} - -\item[rexec] ---- Basic restricted execution framework. - -\item[Bastion] ---- Providing restricted access to objects. - -\end{description} - -\begin{seealso} -\seetext{Andrew Kuchling, ``Restricted Execution HOWTO.'' Available -online at \url{http://www.python.org/doc/howto/rexec/}.} -\end{seealso} |