Path: csiph.com!usenet.pasdenom.info!weretis.net!feeder1.news.weretis.net!feeder.erje.net!eu.feeder.erje.net!xlned.com!feeder1.xlned.com!newsfeed.xs4all.nl!newsfeed4.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.017 X-Spam-Evidence: '*H*': 0.97; '*S*': 0.00; 'sufficient': 0.05; 'bash': 0.09; 'executed': 0.09; 'foss': 0.09; 'level:': 0.09; 'restriction': 0.09; 'cc:addr:python-list': 0.11; 'python': 0.11; 'assume': 0.14; 'easy_install': 0.16; 'emulator': 0.16; 'exploits': 0.16; 'set-up': 0.16; 'suggest?': 0.16; 'uninstall': 0.16; 'url:bugzilla': 0.16; 'url:redhat': 0.16; 'url:show_bug': 0.16; 'subject:python': 0.16; 'wrote:': 0.18; 'code.': 0.18; 'users.': 0.18; 'wed,': 0.18; 'thoughts': 0.19; 'thanks.': 0.20; 'seems': 0.21; 'aug': 0.22; 'cc:addr:python.org': 0.22; 'install': 0.23; 'commands,': 0.24; 'cheers,': 0.24; 'environment': 0.24; 'cc:2**0': 0.24; 'cc:no real name:2**0': 0.24; 'header:In-Reply- To:1': 0.27; '----': 0.29; 'am,': 0.29; 'restrict': 0.30; 'message-id:@mail.gmail.com': 0.30; "i'm": 0.30; 'url:mailman': 0.30; 'code': 0.31; 'disabled': 0.31; 'gcc': 0.31; 'requesting': 0.31; 'restricted': 0.31; 'safely': 0.31; 'writes:': 0.31; 'allows': 0.31; 'linux': 0.33; 'url:python': 0.33; 'running': 0.33; 'minimal': 0.33; 'subject:with': 0.35; 'basic': 0.35; 'something': 0.35; 'etc': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'executing': 0.36; 'url:listinfo': 0.36; 'thanks': 0.36; 'url:org': 0.36; 'operating': 0.37; 'server': 0.38; 'others.': 0.38; 'url:library': 0.38; 'environment.': 0.39; 'delete': 0.39; 'system.': 0.39; 'users': 0.40; 'url:mail': 0.40; 'how': 0.40; 'ensure': 0.60; 'remove': 0.60; 'break': 0.61; 'simple': 0.61; 'protection': 0.63; 'such': 0.63; 'provide': 0.64; 'response.': 0.68; 'facilities': 0.69; 'accounts.': 0.74; 'satisfied': 0.81; '(any': 0.84; '2.3.': 0.84; 'commands.': 0.84; 'quota,': 0.84; 'secured': 0.84; 'skip:/ 30': 0.84; 'url:php': 0.85; 'url:59': 0.91; '2013': 0.98 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=drxfoUQloFChCp+EYNNWRup2fByqD1Hl4ALrURtjHHw=; b=NtDwLnrTd2rEHQt+Q1SVEyvBNJRDIFWUSueBkGbX/6qYYeNpCFZnzoWWC0mIjE3JDK /NTiivMhXSQFGAtNbeFMMYuXQW4gnCneiRqGQl+CaGx6SUFBo+g0OFgme9LzIgomunz9 YL25BYwBNejx3puURHN/nC+IKrLMwA8JHw6Rt+iaoCfMDBa+o7FLxWf5d9HyQzsVXnuI CcOvxRgCR+Og4BsBMuh7TNjlK2sKAqqOrQUNp4aqbaTYKZm3lOwXuVrFNXVNZw3E2wRB n/ka4kU1KMbEp68NpWf64f8mElLSJlbGxoX70WJUlRdSrrPF2XGGlFBtchkUUz2bnjP+ VtYA== X-Received: by 10.180.189.37 with SMTP id gf5mr1588736wic.9.1375866965150; Wed, 07 Aug 2013 02:16:05 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <87txj2m3ws.fsf@handshake.de> References: <87txj2m3ws.fsf@handshake.de> From: "Lakshmipathi.G" Date: Wed, 7 Aug 2013 14:45:44 +0530 Subject: Re: Reg secure python environment with web terminal emulator To: dieter Content-Type: text/plain; charset=ISO-8859-1 Cc: python-list@python.org X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 57 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1375866972 news.xs4all.nl 15877 [2001:888:2000:d::a6]:36157 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:52124 Hi - Thanks for the response. Yes, we used OS features to restrict the system user accounts. We don't allow gcc - this helped us to avoid kernel exploits via C code like : https://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=42827&forum=59 https://bugzilla.redhat.com/show_bug.cgi?id=962792 We are concerned whether user may try C exploits via Python code and break the system. What's the minimal python set-up you would suggest? I'm thinking something like: 1- Uninstall python-devel packages 2- Remove easy_install or pip (any such install utilities) 3- Keep only very basic modules under /usr/lib/python<>/site-packages and delete the others. Thanks. -- ---- Cheers, Lakshmipathi.G FOSS Programmer. www.giis.co.in On Wed, Aug 7, 2013 at 11:35 AM, dieter wrote: > "Lakshmipathi.G" writes: > >> We have a server running a web-based terminal emulator (based on shellinabox >> for screen-casting check www.webminal.org) that allows users to learn >> simple bash commands. This Linux environment secured by things like quota, >> selinux,ulimit etc >> >> Now some users are requesting python access. How to ensure python is executed >> in a restricted environment. I came across >> http://docs.python.org/2/library/restricted.html >> but it seems like disabled in 2.3. Any thoughts on how we can safely >> provide python access >> to users. > > When you are satisfied with the protection you have achieved > for bash commands, those same protection might be sufficient > for Python as well. I assume that you used operating system > facilities to restrict what the (system) user can do on the > operating system level: the same restriction would apply to the > (same) user executing Python code. > > -- > http://mail.python.org/mailman/listinfo/python-list