Skip to content

C
cpython
Kaydet (Commit) 87b8f318 authored tarafından Fred Drake's avatar Fred Drake
Dosyalara gözat
Seçenekler

Fixed some logical markup nits. 

Added a pointer to Grail in the see-also section, since it's used as
an example.
üst deb7e096
Show whitespace changes
Inline Side-by-side
Showing with 26 additions and 21 deletions
Doc/lib/librestricted.tex
Dosyayı görüntüle @ 87b8f318
\chapter{Restricted Execution} \chapter{Restricted Execution \label{restricted}}
\label{restricted}
In general, Python programs have complete access to the underlying In general, Python programs have complete access to the underlying
operating system throug the various functions and classes, For operating system throug the various functions and classes, For
example, a Python program can open any file for reading and writing by example, a Python program can open any file for reading and writing by
using the \code{open()} built-in function (provided the underlying OS using the \function{open()} built-in function (provided the underlying
gives you permission!). This is exactly what you want for most OS gives you permission!). This is exactly what you want for most
applications. applications.
There exists a class of applications for which this ``openness'' is There exists a class of applications for which this ``openness'' is
inappropriate. Take Grail: a web browser that accepts ``applets'', inappropriate. Take Grail: a web browser that accepts ``applets,''
snippets of Python code, from anywhere on the Internet for execution snippets of Python code, from anywhere on the Internet for execution
on the local system. This can be used to improve the user interface on the local system. This can be used to improve the user interface
of forms, for instance. Since the originator of the code is unknown, of forms, for instance. Since the originator of the code is unknown,
...@@ -38,27 +37,28 @@ determined by the supervisor, different restrictions can be imposed, ...@@ -38,27 +37,28 @@ determined by the supervisor, different restrictions can be imposed,
depending on the application. For example, it might be deemed depending on the application. For example, it might be deemed
``safe'' for untrusted code to read any file within a specified ``safe'' for untrusted code to read any file within a specified
directory, but never to write a file. In this case, the supervisor directory, but never to write a file. In this case, the supervisor
may redefine the built-in may redefine the built-in \function{open()} function so that it raises
\code{open()} function so that it raises an exception whenever the an exception whenever the \var{mode} parameter is \code{'w'}. It
\var{mode} parameter is \code{'w'}. It might also perform a might also perform a \cfunction{chroot()}-like operation on the
\code{chroot()}-like operation on the \var{filename} parameter, such \var{filename} parameter, such that root is always relative to some
that root is always relative to some safe ``sandbox'' area of the safe ``sandbox'' area of the filesystem. In this case, the untrusted
filesystem. In this case, the untrusted code would still see an code would still see an built-in \function{open()} function in its
built-in \code{open()} function in its environment, with the same environment, with the same calling interface. The semantics would be
calling interface. The semantics would be identical too, with identical too, with \exception{IOError}s being raised when the
\code{IOError}s being raised when the supervisor determined that an supervisor determined that an unallowable parameter is being used.
unallowable parameter is being used.
The Python run-time determines whether a particular code block is The Python run-time determines whether a particular code block is
executing in restricted execution mode based on the identity of the executing in restricted execution mode based on the identity of the
\code{__builtins__} object in its global variables: if this is (the \code{__builtins__} object in its global variables: if this is (the
dictionary of) the standard \code{__builtin__} module, the code is dictionary of) the standard \refmodule[builtin]{__builtin__} module,
deemed to be unrestricted, else it is deemed to be restricted. the code is deemed to be unrestricted, else it is deemed to be
restricted.
Python code executing in restricted mode faces a number of limitations Python code executing in restricted mode faces a number of limitations
that are designed to prevent it from escaping from the padded cell. that are designed to prevent it from escaping from the padded cell.
For instance, the function object attribute \code{func_globals} and the For instance, the function object attribute \member{func_globals} and
class and instance object attribute \code{__dict__} are unavailable. the class and instance object attribute \member{__dict__} are
unavailable.
Two modules provide the framework for setting up restricted execution Two modules provide the framework for setting up restricted execution
environments: environments:
...@@ -66,6 +66,11 @@ environments: ...@@ -66,6 +66,11 @@ environments:
\localmoduletable \localmoduletable
\begin{seealso} \begin{seealso}
\seetext{Andrew Kuchling, ``Restricted Execution HOWTO.'' Available \seetext{Andrew Kuchling, ``Restricted Execution HOWTO.'' Available
online at \url{http://www.python.org/doc/howto/rexec/}.} online at \url{http://www.python.org/doc/howto/rexec/}.}
\seetext{Grail, an Internet browser written in Python, is available
at \url{http://grail.cnri.reston.va.us/grail/}. More
information on the use of Python's restricted execution
mode in Grail is available on the Web site.}
\end{seealso} \end{seealso}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment