Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #54635
| Path | csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!goblin2!goblin.stu.neva.ru!newsfeed.xs4all.nl!newsfeed1.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <nedbat@gmail.com> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.004 |
| X-Spam-Evidence | '*H*': 0.99; '*S*': 0.00; 'static': 0.04; 'root': 0.05; 'sufficient': 0.05; 'tree': 0.05; 'subject:Python': 0.06; 'modified': 0.07; 'imported': 0.09; 'statements': 0.09; 'things,': 0.09; 'wrapper': 0.09; 'url:blog': 0.10; 'cc:addr:python-list': 0.11; 'python': 0.11; 'changes': 0.15; 'access)': 0.16; 'ast': 0.16; 'builtins': 0.16; 'builtins.': 0.16; 'circumvent': 0.16; 'tool.': 0.16; 'prevent': 0.16; 'language': 0.16; 'sender:addr:gmail.com': 0.17; 'wrote:': 0.18; 'module': 0.19; 'normally': 0.19; 'seems': 0.21; 'memory': 0.22; 'import': 0.22; 'cc:addr:gmail.com': 0.22; 'email addr:gmail.com>': 0.22; 'cc:addr:python.org': 0.22; 'header:User-Agent:1': 0.23; '(or': 0.24; 'environment': 0.24; 'cc:no real name:2**0': 0.24; "i've": 0.25; 'source': 0.25; 'script': 0.25; '>': 0.26; 'designated': 0.26; 'header:In-Reply-To:1': 0.27; 'tried': 0.27; 'external': 0.29; 'am,': 0.29; 'unix': 0.29; 'cc:2**2': 0.30; "i'm": 0.30; 'code': 0.31; 'hacker': 0.31; 'sep': 0.31; 'subject:programs': 0.31; 'run': 0.32; 'quite': 0.32; 'running': 0.33; 'guess': 0.33; 'protection.': 0.33; 'could': 0.34; 'test': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'there': 0.35; 'really': 0.36; 'doing': 0.36; 'should': 0.36; 'wrong': 0.37; 'too': 0.37; 'operating': 0.37; 'list': 0.37; 'files': 0.38; 'heard': 0.39; 'use.': 0.39; 'sure': 0.39; 'mailing': 0.39; 'called': 0.40; 'subject:online': 0.61; 'course': 0.61; 'here:': 0.62; 'times': 0.62; 'name': 0.63; 'term': 0.63; 'such': 0.63; 'refer': 0.63; 'to:addr:gmail.com': 0.65; 'user,': 0.69; 'safe': 0.72; 'therefore': 0.72; 'obvious': 0.74; 'to:charset:iso-8859-1': 0.74; 'analysis': 0.75; 'interest.': 0.81; 'failures.': 0.84; 'start.': 0.84; 'whitelist': 0.84; 'apparent': 0.91; 'spectacular': 0.91; 'children.': 0.93; '2013': 0.98 |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=6Qi8kCqS60BgCPmcgdBVjKuucfj/UNLHI7PwXWa4oac=; b=OyV8nnm1vsNmzUe+1KkbYOAnCIKp5ngEcKmdD2nZk3bspUA4/zP2zKlY9N0zCeXiH/ E1/nZuusuoFs5lnlVCTj60/5t7BLMLFoWbgLQoBdMpuAfno8Sk9YqPwzFg8/AKiwt1d7 hE3TuXh3exvFv3HzJQsd86rQj/nhCimckZVq0JoxukXBx9pgjWggX4LYVlCMfcTbkv/1 HucbfFOjXcWfAszvMyPe8Go8iMe+41tikDPlq5SyLz1FKwRYhDnafKPirx8AhorfdwGZ rytBeKB3JIqB/7A6eQCGFiAotGDUKL8Gw/hbo5OBdsMm9Aygg/SrKguOOZapZrNCUjFQ YpgA== |
| X-Received | by 10.236.22.74 with SMTP id s50mr23874235yhs.12.1379942407157; Mon, 23 Sep 2013 06:20:07 -0700 (PDT) |
| Sender | Ned Batchelder <nedbat@gmail.com> |
| Date | Mon, 23 Sep 2013 09:20:06 -0400 |
| From | Ned Batchelder <ned@nedbatchelder.com> |
| User-Agent | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 |
| MIME-Version | 1.0 |
| To | Fábio Santos <fabiosantosart@gmail.com> |
| Subject | Re: building an online judge to evaluate Python programs |
| References | <CAOuJsM=vWQifowsgVK+upBGA3BdqWbETstqXi9127gcU9coOhg@mail.gmail.com> <l1i97a$qle$1@ger.gmane.org> <CAOuJsMm4kVL8_1LELgAB+sTxx+yVV8YQ4QV1aoHUp8y64+MEAQ@mail.gmail.com> <CAA=1kxT2WG=MQY+j1vvEBit8zjfQg=8P0ON9-usK=LfWXtohcw@mail.gmail.com> |
| In-Reply-To | <CAA=1kxT2WG=MQY+j1vvEBit8zjfQg=8P0ON9-usK=LfWXtohcw@mail.gmail.com> |
| Content-Type | multipart/alternative; boundary="------------090508000901020609040008" |
| Cc | python-list@python.org, Dave Angel <davea@davea.name> |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.15 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.265.1379942417.18130.python-list@python.org> (permalink) |
| Lines | 148 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1379942417 news.xs4all.nl 15906 [2001:888:2000:d::a6]:60897 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:54635 |
Show key headers only | View raw
[Multipart message — attachments visible in raw view] - view raw
On 9/23/13 8:33 AM, Fábio Santos wrote: > > > On 20 Sep 2013 21:14, "Jabba Laci" <jabba.laci@gmail.com > <mailto:jabba.laci@gmail.com>> wrote: > > > > > That last seems to me to be the biggie. Several times in the past few > > > years, people in this mailing list have tried to build a safe sandbox. > > > And each one was a big failure, for a hacker of sufficient interest. > > > Some of them were spectacular failures. > > > > > > If you have to be safe from your user, Python may be the wrong > language > > > to give them. > > > > Well, the course is about Python and I want to test Python scripts... > > > > I've heard about "chroot jail" but I never used it. Wikipedia says: > > > > "A chroot on Unix operating systems is an operation that changes the > > apparent root directory for the current running process and its > > children. A program that is run in such a modified environment cannot > > name (and therefore normally not access) files outside the designated > > directory tree. The term "chroot" may refer to the chroot(2) system > > call or the chroot(8) wrapper program. The modified environment is > > called a "chroot jail"." > > > > I guess it could be used for sandboxing. > > > > Laszlo > > It may be a good start to whitelist the modules and builtins they are > allowed to use. > > The ast module could be used to scan the source tree for import > statements and run the imported modules through the whitelist. > > There should also be many ways to run a script with stripped-down > builtins. > > Then you can control execution time and memory usage using an external > tool. > > I'm quite sure this isn't all you need, but it can be a good place to > start. > > Python really is too dynamic for any static analysis like this to help in the long run. It will stop people from doing the obvious things, but there will always be a way to circumvent it. Take a look here: Eval really is dangerous: http://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html If you want to run untrusted Python code and prevent malice (or stupidity) from harming you, you need OS-level protection. --Ned.
Back to comp.lang.python | Previous | Next — Next in thread | Find similar | Unroll thread
Re: building an online judge to evaluate Python programs Ned Batchelder <ned@nedbatchelder.com> - 2013-09-23 09:20 -0400 Re: building an online judge to evaluate Python programs Larry Hudson <orgnut@yahoo.com> - 2013-09-23 20:04 -0700
csiph-web