Path: csiph.com!usenet.pasdenom.info!news.redatomik.org!newsfeed.xs4all.nl!newsfeed2.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <rosuav@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.001
X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'python,': 0.02; 'subject:Python': 0.05; 'completeness': 0.05; '(so': 0.07; 'escape': 0.07; 'security.': 0.09; 'cc:addr:python-list': 0.10; 'python': 0.11; 'python.': 0.11; '6:00': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'nerf': 0.16; 'wrote:': 0.16; "wouldn't": 0.16; 'library,': 0.18; 'mechanism': 0.18; '(in': 0.18; 'language': 0.19; 'library': 0.20; 'cc:2**0': 0.21; 'cc:addr:python.org': 0.21; '31,': 0.22; 'either.': 0.22; 'am,': 0.23; '2015': 0.23; 'import': 0.24; 'header:In-Reply-To:1': 0.24; 'implemented': 0.24; 'paul': 0.24; 'message-id:@mail.gmail.com': 0.28; "doesn't": 0.28; 'system?': 0.29; 'sense': 0.29; 'anywhere': 0.30; "can't": 0.32; 'implement': 0.32; 'language.': 0.32; "d'aprano": 0.33; 'steven': 0.33; 'open': 0.33; 'file': 0.34; 'received:google.com': 0.34; "isn't": 0.35; 'but': 0.36; 'being': 0.36; 'subject:: ': 0.37; 'files': 0.38; 'sure': 0.40; 'your': 0.60; 'secure': 0.61; 'claim': 0.61; 'provide': 0.61; 'complete': 0.63; 'therefore': 0.65; 'lack': 0.76; 'chrisa': 0.84; 'to:none': 0.90; 'story.': 0.95
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=FRDRjNIZnHcvZorbjjtP5d/4fDMzf8cz0BGM5c9UAjQ=; b=AZEIDNQWAqODgcWcm7YZCWAGPpRQKZiIr9hX/s9nF+OG8rwDCwe3eLP1ZyT1ivybx1 8tsRiZ01R47+uZW50/gLyGMWiBz7VKHU1gzaDHI3RAS/MDEZ2CIdjzmJZ0sHcspEpSGf 2L7hzMllriBT4ijUwSdI4/h6GmszP8D8fnuFMj6tOZzRDvpf12QVCkNZCGAmNEeVajsc unKZXbIjE7GVEQZ1tBV8QnrlaehnTEEOJ1TYohZ8YGgYLlJg4mn4vcjOIf6i5vRUUO/P 3iYIvSKQ+QHHDINBh6j5N/iu/4qQwAcJdGbCQ7AKNf4UKFBdgH9XVjHHsWoO7pE8Hicw wmrw==
MIME-Version: 1.0
X-Received: by 10.50.43.196 with SMTP id y4mr4861781igl.14.1433024445357; Sat, 30 May 2015 15:20:45 -0700 (PDT)
In-Reply-To: <87zj4lx2cz.fsf@jester.gateway.sonic.net>
References: <60b424a2-2273-42b2-b60c-92656af0afa5@googlegroups.com> <mk7ng1$uq3$1@ger.gmane.org> <CAPTjJmpC40fLdmGvMqCGtt82O5QWzNGyHnSGgiX_mNrz3O_LdA@mail.gmail.com> <mk90bq$dn4$1@ger.gmane.org> <mailman.160.1432885273.5151.python-list@python.org> <87h9qvxmh0.fsf@jester.gateway.sonic.net> <mailman.210.1432939749.5151.python-list@python.org> <878uc6yhtq.fsf@jester.gateway.sonic.net> <mailman.213.1432953735.5151.python-list@python.org> <874mmuy8ko.fsf@jester.gateway.sonic.net> <55697c1f$0$13013$c3e8da3$5496439d@news.astraweb.com> <87zj4lx2cz.fsf@jester.gateway.sonic.net>
Date: Sun, 31 May 2015 08:20:45 +1000
Subject: Re: Creating a reliable sandboxed Python environment
From: Chris Angelico <rosuav@gmail.com>
Cc: "python-list@python.org" <python-list@python.org>
Content-Type: text/plain; charset=UTF-8
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.20+
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.233.1433024454.5151.python-list@python.org>
Lines: 24
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1433024454 news.xs4all.nl 2916 [2001:888:2000:d::a6]:39361
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:91545

On Sun, May 31, 2015 at 6:00 AM, Paul Rubin <no.email@nospam.invalid> wrote:
> Steven D'Aprano <steve@pearwood.info> writes:
>> I wouldn't have imagined that the claim "it's easier to secure a small
>> language with a few features than a big language with lots of features"
>> would have been so controversial.
>
> Consider that if the small language is Turing-complete, you can use it
> to implement the big language.  If the small language is also secure (in
> the sense of not being able to escape a sandbox), the big language
> implemented in it can't escape the sandbox either.  Therefore the size
> of the language doesn't inherently affect the sandbox security.

Turing completeness isn't the whole story. How do you go about
sandboxing a Brainf* implementation such that it can be used to
implement Python, but can't be used to read or arbitrary files from
your file system? Will you reimplement the Python standard library in
Brainf*? Will you implement open(), but nerf it? Will you make sure
there's nothing anywhere in the stdlib that can open files? And if you
_don't_ provide a reimplemented standard library, you either need to
provide an import mechanism (so you can make use of the existing
Python code) or declare that the language as a whole is neutered by a
complete lack of all those features that are implemented in Python.

ChrisA