blob: d5e2d02b1b5695d9eb0ab878f938d6f7fb61fcfe [file] [log] [blame]
Fred Drake295da241998-08-10 19:42:37 +00001\section{\module{rexec} ---
Fred Drakeffbe6871999-04-22 21:23:22 +00002 Restricted execution framework}
Fred Drakeb91e9341998-07-23 17:59:49 +00003
Fred Drakeffbe6871999-04-22 21:23:22 +00004\declaremodule{standard}{rexec}
Fred Drakeb91e9341998-07-23 17:59:49 +00005\modulesynopsis{Basic restricted execution framework.}
6
Fred Drakea8912301998-03-14 07:08:02 +00007
Guido van Rossumbe0a8a61996-09-10 17:37:05 +00008
Fred Drake19479911998-02-13 06:58:54 +00009This module contains the \class{RExec} class, which supports
Guido van Rossum7b0c9d81998-05-08 13:27:38 +000010\method{r_eval()}, \method{r_execfile()}, \method{r_exec()}, and
Fred Drakea8912301998-03-14 07:08:02 +000011\method{r_import()} methods, which are restricted versions of the standard
Guido van Rossum7b0c9d81998-05-08 13:27:38 +000012Python functions \method{eval()}, \method{execfile()} and
13the \keyword{exec} and \keyword{import} statements.
Guido van Rossumf73f79b1996-10-24 22:14:06 +000014Code executed in this restricted environment will
Guido van Rossum095538d1996-10-22 01:11:19 +000015only have access to modules and functions that are deemed safe; you
Fred Drake19479911998-02-13 06:58:54 +000016can subclass \class{RExec} to add or remove capabilities as desired.
Guido van Rossum095538d1996-10-22 01:11:19 +000017
Fred Drake19479911998-02-13 06:58:54 +000018\emph{Note:} The \class{RExec} class can prevent code from performing
Guido van Rossum095538d1996-10-22 01:11:19 +000019unsafe operations like reading or writing disk files, or using TCP/IP
20sockets. However, it does not protect against code using extremely
Fred Drake8ee679f2001-07-14 02:50:55 +000021large amounts of memory or processor time.
Guido van Rossum095538d1996-10-22 01:11:19 +000022
Fred Drakea8912301998-03-14 07:08:02 +000023\begin{classdesc}{RExec}{\optional{hooks\optional{, verbose}}}
Fred Drake19479911998-02-13 06:58:54 +000024Returns an instance of the \class{RExec} class.
Guido van Rossum095538d1996-10-22 01:11:19 +000025
Fred Drakea8912301998-03-14 07:08:02 +000026\var{hooks} is an instance of the \class{RHooks} class or a subclass of it.
27If it is omitted or \code{None}, the default \class{RHooks} class is
Guido van Rossumf73f79b1996-10-24 22:14:06 +000028instantiated.
Fred Drakeffbe6871999-04-22 21:23:22 +000029Whenever the \module{rexec} module searches for a module (even a
Fred Drake19479911998-02-13 06:58:54 +000030built-in one) or reads a module's code, it doesn't actually go out to
31the file system itself. Rather, it calls methods of an \class{RHooks}
32instance that was passed to or created by its constructor. (Actually,
33the \class{RExec} object doesn't make these calls --- they are made by
34a module loader object that's part of the \class{RExec} object. This
Fred Drake907e76b2001-07-06 20:30:11 +000035allows another level of flexibility, which can be useful when changing
36the mechanics of \keyword{import} within the restricted environment.)
Guido van Rossum095538d1996-10-22 01:11:19 +000037
Fred Drake19479911998-02-13 06:58:54 +000038By providing an alternate \class{RHooks} object, we can control the
Guido van Rossum095538d1996-10-22 01:11:19 +000039file system accesses made to import a module, without changing the
40actual algorithm that controls the order in which those accesses are
Fred Drake19479911998-02-13 06:58:54 +000041made. For instance, we could substitute an \class{RHooks} object that
42passes all filesystem requests to a file server elsewhere, via some
43RPC mechanism such as ILU. Grail's applet loader uses this to support
Guido van Rossum095538d1996-10-22 01:11:19 +000044importing applets from a URL for a directory.
45
Guido van Rossumf73f79b1996-10-24 22:14:06 +000046If \var{verbose} is true, additional debugging output may be sent to
Guido van Rossum095538d1996-10-22 01:11:19 +000047standard output.
Fred Drakea8912301998-03-14 07:08:02 +000048\end{classdesc}
Guido van Rossum095538d1996-10-22 01:11:19 +000049
Fred Drake307cb052001-06-22 18:21:53 +000050It is important to be aware that code running in a restricted
51environment can still call the \function{sys.exit()} function. To
52disallow restricted code from exiting the interpreter, always protect
53calls that cause restricted code to run with a
54\keyword{try}/\keyword{except} statement that catches the
55\exception{SystemExit} exception. Removing the \function{sys.exit()}
56function from the restricted environment is not sufficient --- the
57restricted code could still use \code{raise SystemExit}. Removing
58\exception{SystemExit} is not a reasonable option; some library code
59makes use of this and would break were it not available.
Guido van Rossum095538d1996-10-22 01:11:19 +000060
Guido van Rossum095538d1996-10-22 01:11:19 +000061
Fred Drake307cb052001-06-22 18:21:53 +000062\begin{seealso}
63 \seetitle[http://grail.sourceforge.net/]{Grail Home Page}{Grail is a
64 Web browser written entirely in Python. It uses the
65 \module{rexec} module as a foundation for supporting
66 Python applets, and can be used as an example usage of
67 this module.}
68\end{seealso}
Guido van Rossum095538d1996-10-22 01:11:19 +000069
Guido van Rossum095538d1996-10-22 01:11:19 +000070
Fred Drake307cb052001-06-22 18:21:53 +000071\subsection{RExec Objects \label{rexec-objects}}
Guido van Rossum095538d1996-10-22 01:11:19 +000072
Fred Drake19479911998-02-13 06:58:54 +000073\class{RExec} instances support the following methods:
Guido van Rossum095538d1996-10-22 01:11:19 +000074
Fred Drakeda70ee11998-04-02 18:51:30 +000075\begin{methoddesc}{r_eval}{code}
Guido van Rossumf73f79b1996-10-24 22:14:06 +000076\var{code} must either be a string containing a Python expression, or
77a compiled code object, which will be evaluated in the restricted
Fred Drakea8912301998-03-14 07:08:02 +000078environment's \module{__main__} module. The value of the expression or
Guido van Rossumf73f79b1996-10-24 22:14:06 +000079code object will be returned.
Fred Drakeda70ee11998-04-02 18:51:30 +000080\end{methoddesc}
Guido van Rossum095538d1996-10-22 01:11:19 +000081
Fred Drakeda70ee11998-04-02 18:51:30 +000082\begin{methoddesc}{r_exec}{code}
Guido van Rossumf73f79b1996-10-24 22:14:06 +000083\var{code} must either be a string containing one or more lines of
84Python code, or a compiled code object, which will be executed in the
Fred Drakea8912301998-03-14 07:08:02 +000085restricted environment's \module{__main__} module.
Fred Drakeda70ee11998-04-02 18:51:30 +000086\end{methoddesc}
Guido van Rossum095538d1996-10-22 01:11:19 +000087
Fred Drakeda70ee11998-04-02 18:51:30 +000088\begin{methoddesc}{r_execfile}{filename}
Guido van Rossum095538d1996-10-22 01:11:19 +000089Execute the Python code contained in the file \var{filename} in the
Fred Drakea8912301998-03-14 07:08:02 +000090restricted environment's \module{__main__} module.
Fred Drakeda70ee11998-04-02 18:51:30 +000091\end{methoddesc}
Guido van Rossum095538d1996-10-22 01:11:19 +000092
Fred Drakea8912301998-03-14 07:08:02 +000093Methods whose names begin with \samp{s_} are similar to the functions
94beginning with \samp{r_}, but the code will be granted access to
Fred Drake71f894a1998-02-23 14:37:40 +000095restricted versions of the standard I/O streams \code{sys.stdin},
Fred Drakea8912301998-03-14 07:08:02 +000096\code{sys.stderr}, and \code{sys.stdout}.
Guido van Rossum095538d1996-10-22 01:11:19 +000097
Fred Drakeda70ee11998-04-02 18:51:30 +000098\begin{methoddesc}{s_eval}{code}
Guido van Rossum095538d1996-10-22 01:11:19 +000099\var{code} must be a string containing a Python expression, which will
100be evaluated in the restricted environment.
Fred Drakeda70ee11998-04-02 18:51:30 +0000101\end{methoddesc}
Guido van Rossum095538d1996-10-22 01:11:19 +0000102
Fred Drakeda70ee11998-04-02 18:51:30 +0000103\begin{methoddesc}{s_exec}{code}
Guido van Rossum095538d1996-10-22 01:11:19 +0000104\var{code} must be a string containing one or more lines of Python code,
105which will be executed in the restricted environment.
Fred Drakeda70ee11998-04-02 18:51:30 +0000106\end{methoddesc}
Guido van Rossum095538d1996-10-22 01:11:19 +0000107
Fred Drakeda70ee11998-04-02 18:51:30 +0000108\begin{methoddesc}{s_execfile}{code}
Guido van Rossum095538d1996-10-22 01:11:19 +0000109Execute the Python code contained in the file \var{filename} in the
110restricted environment.
Fred Drakeda70ee11998-04-02 18:51:30 +0000111\end{methoddesc}
Guido van Rossum095538d1996-10-22 01:11:19 +0000112
Fred Drake19479911998-02-13 06:58:54 +0000113\class{RExec} objects must also support various methods which will be
Guido van Rossumf73f79b1996-10-24 22:14:06 +0000114implicitly called by code executing in the restricted environment.
115Overriding these methods in a subclass is used to change the policies
116enforced by a restricted environment.
Guido van Rossum095538d1996-10-22 01:11:19 +0000117
Fred Drakeda70ee11998-04-02 18:51:30 +0000118\begin{methoddesc}{r_import}{modulename\optional{, globals\optional{,
119 locals\optional{, fromlist}}}}
Fred Drakea8912301998-03-14 07:08:02 +0000120Import the module \var{modulename}, raising an \exception{ImportError}
Guido van Rossumf73f79b1996-10-24 22:14:06 +0000121exception if the module is considered unsafe.
Fred Drakeda70ee11998-04-02 18:51:30 +0000122\end{methoddesc}
Guido van Rossum095538d1996-10-22 01:11:19 +0000123
Fred Drakeda70ee11998-04-02 18:51:30 +0000124\begin{methoddesc}{r_open}{filename\optional{, mode\optional{, bufsize}}}
Fred Drakea8912301998-03-14 07:08:02 +0000125Method called when \function{open()} is called in the restricted
126environment. The arguments are identical to those of \function{open()},
Guido van Rossum095538d1996-10-22 01:11:19 +0000127and a file object (or a class instance compatible with file objects)
Fred Drake19479911998-02-13 06:58:54 +0000128should be returned. \class{RExec}'s default behaviour is allow opening
Guido van Rossum095538d1996-10-22 01:11:19 +0000129any file for reading, but forbidding any attempt to write a file. See
Guido van Rossumf73f79b1996-10-24 22:14:06 +0000130the example below for an implementation of a less restrictive
Fred Drakea8912301998-03-14 07:08:02 +0000131\method{r_open()}.
Fred Drakeda70ee11998-04-02 18:51:30 +0000132\end{methoddesc}
Guido van Rossum095538d1996-10-22 01:11:19 +0000133
Fred Drakeda70ee11998-04-02 18:51:30 +0000134\begin{methoddesc}{r_reload}{module}
Guido van Rossum095538d1996-10-22 01:11:19 +0000135Reload the module object \var{module}, re-parsing and re-initializing it.
Fred Drakeda70ee11998-04-02 18:51:30 +0000136\end{methoddesc}
Guido van Rossum095538d1996-10-22 01:11:19 +0000137
Fred Drakeda70ee11998-04-02 18:51:30 +0000138\begin{methoddesc}{r_unload}{module}
Fred Drake907e76b2001-07-06 20:30:11 +0000139Unload the module object \var{module} (remove it from the
Guido van Rossumf73f79b1996-10-24 22:14:06 +0000140restricted environment's \code{sys.modules} dictionary).
Fred Drakeda70ee11998-04-02 18:51:30 +0000141\end{methoddesc}
Guido van Rossum095538d1996-10-22 01:11:19 +0000142
Guido van Rossumf73f79b1996-10-24 22:14:06 +0000143And their equivalents with access to restricted standard I/O streams:
144
Fred Drakeda70ee11998-04-02 18:51:30 +0000145\begin{methoddesc}{s_import}{modulename\optional{, globals\optional{,
146 locals\optional{, fromlist}}}}
Fred Drake19479911998-02-13 06:58:54 +0000147Import the module \var{modulename}, raising an \exception{ImportError}
Guido van Rossumf73f79b1996-10-24 22:14:06 +0000148exception if the module is considered unsafe.
Fred Drakeda70ee11998-04-02 18:51:30 +0000149\end{methoddesc}
Guido van Rossum095538d1996-10-22 01:11:19 +0000150
Fred Drakeda70ee11998-04-02 18:51:30 +0000151\begin{methoddesc}{s_reload}{module}
Guido van Rossum095538d1996-10-22 01:11:19 +0000152Reload the module object \var{module}, re-parsing and re-initializing it.
Fred Drakeda70ee11998-04-02 18:51:30 +0000153\end{methoddesc}
Guido van Rossum095538d1996-10-22 01:11:19 +0000154
Fred Drakeda70ee11998-04-02 18:51:30 +0000155\begin{methoddesc}{s_unload}{module}
Guido van Rossum095538d1996-10-22 01:11:19 +0000156Unload the module object \var{module}.
157% XXX what are the semantics of this?
Fred Drakeda70ee11998-04-02 18:51:30 +0000158\end{methoddesc}
Guido van Rossum095538d1996-10-22 01:11:19 +0000159
Fred Drake307cb052001-06-22 18:21:53 +0000160
161\subsection{Defining restricted environments \label{rexec-extension}}
162
163The \class{RExec} class has the following class attributes, which are
164used by the \method{__init__()} method. Changing them on an existing
165instance won't have any effect; instead, create a subclass of
166\class{RExec} and assign them new values in the class definition.
167Instances of the new class will then use those new values. All these
168attributes are tuples of strings.
169
170\begin{memberdesc}{nok_builtin_names}
171Contains the names of built-in functions which will \emph{not} be
172available to programs running in the restricted environment. The
173value for \class{RExec} is \code{('open', 'reload', '__import__')}.
174(This gives the exceptions, because by far the majority of built-in
175functions are harmless. A subclass that wants to override this
176variable should probably start with the value from the base class and
177concatenate additional forbidden functions --- when new dangerous
178built-in functions are added to Python, they will also be added to
179this module.)
180\end{memberdesc}
181
182\begin{memberdesc}{ok_builtin_modules}
183Contains the names of built-in modules which can be safely imported.
184The value for \class{RExec} is \code{('audioop', 'array', 'binascii',
185'cmath', 'errno', 'imageop', 'marshal', 'math', 'md5', 'operator',
186'parser', 'regex', 'rotor', 'select', 'sha', '_sre', 'strop',
187'struct', 'time')}. A similar remark about overriding this variable
188applies --- use the value from the base class as a starting point.
189\end{memberdesc}
190
191\begin{memberdesc}{ok_path}
192Contains the directories which will be searched when an \keyword{import}
193is performed in the restricted environment.
194The value for \class{RExec} is the same as \code{sys.path} (at the time
195the module is loaded) for unrestricted code.
196\end{memberdesc}
197
198\begin{memberdesc}{ok_posix_names}
199% Should this be called ok_os_names?
200Contains the names of the functions in the \refmodule{os} module which will be
201available to programs running in the restricted environment. The
202value for \class{RExec} is \code{('error', 'fstat', 'listdir',
203'lstat', 'readlink', 'stat', 'times', 'uname', 'getpid', 'getppid',
204'getcwd', 'getuid', 'getgid', 'geteuid', 'getegid')}.
205\end{memberdesc}
206
207\begin{memberdesc}{ok_sys_names}
208Contains the names of the functions and variables in the \refmodule{sys}
209module which will be available to programs running in the restricted
210environment. The value for \class{RExec} is \code{('ps1', 'ps2',
211'copyright', 'version', 'platform', 'exit', 'maxint')}.
212\end{memberdesc}
213
214
Guido van Rossum095538d1996-10-22 01:11:19 +0000215\subsection{An example}
216
217Let us say that we want a slightly more relaxed policy than the
Fred Drake19479911998-02-13 06:58:54 +0000218standard \class{RExec} class. For example, if we're willing to allow
219files in \file{/tmp} to be written, we can subclass the \class{RExec}
220class:
Guido van Rossum095538d1996-10-22 01:11:19 +0000221
Fred Drake19479911998-02-13 06:58:54 +0000222\begin{verbatim}
Guido van Rossum095538d1996-10-22 01:11:19 +0000223class TmpWriterRExec(rexec.RExec):
224 def r_open(self, file, mode='r', buf=-1):
Guido van Rossumf73f79b1996-10-24 22:14:06 +0000225 if mode in ('r', 'rb'):
226 pass
227 elif mode in ('w', 'wb', 'a', 'ab'):
228 # check filename : must begin with /tmp/
229 if file[:5]!='/tmp/':
230 raise IOError, "can't write outside /tmp"
231 elif (string.find(file, '/../') >= 0 or
232 file[:3] == '../' or file[-3:] == '/..'):
233 raise IOError, "'..' in filename forbidden"
234 else: raise IOError, "Illegal open() mode"
Guido van Rossum095538d1996-10-22 01:11:19 +0000235 return open(file, mode, buf)
Fred Drake19479911998-02-13 06:58:54 +0000236\end{verbatim}
Guido van Rossume47da0a1997-07-17 16:34:52 +0000237%
Guido van Rossum095538d1996-10-22 01:11:19 +0000238Notice that the above code will occasionally forbid a perfectly valid
239filename; for example, code in the restricted environment won't be
240able to open a file called \file{/tmp/foo/../bar}. To fix this, the
Fred Drakea8912301998-03-14 07:08:02 +0000241\method{r_open()} method would have to simplify the filename to
Guido van Rossum095538d1996-10-22 01:11:19 +0000242\file{/tmp/bar}, which would require splitting apart the filename and
243performing various operations on it. In cases where security is at
244stake, it may be preferable to write simple code which is sometimes
245overly restrictive, instead of more general code that is also more
246complex and may harbor a subtle security hole.