views:

131

answers:

3

I have a web service to which users upload python scripts that are run on a server. Those scripts process files that are on the server and I want them to be able to see only a certain hierarchy of the server's filesystem (best: a temporary folder on which I copy the files I want processed and the scripts).

The server will ultimately be a linux based one but if a solution is also possible on Windows it would be nice to know how.

What I though of is creating a user with restricted access to folders of the FS - ultimately only the folder containing the scripts and files - and launch the python interpreter using this user.

Can someone give me a better alternative? as relying only on this makes me feel insecure, I would like a real sandboxing or virtual FS feature where I could run safely untrusted code.

+2  A: 

You are probably best to use a virtual machine like VirtualBox or VMware (perhaps even creating one per user/session).

That will allow you some control over other resources such as memory and network as well as disk

The only python that I know of that has such features built in is the one on Google App Engine. That may be a workable alternative for you too.

gnibbler
there is also pypy that provides a sandboxing feature but the libraries and python version don't match my needs unfortunately
attwad
+4  A: 

Either a chroot jail or a higher-order security mechanism such as SELinux can be used to restrict access to specific resources.

Ignacio Vazquez-Abrams
chroot jails can be too easily broken :(
attwad
SELinux, however, is very hard to break. It's very hard to live with.
S.Lott
Ignore attwad, Chroot is the way to go. If you use a grsecurity chroot then even if you can gain root within the chroot you can't "change root" out of the jail.
Rook
@The Rook: attwad is the OP. If his beliefs are incorrect then you should correct them, not dismiss them.
Ignacio Vazquez-Abrams
@Ignacio I went into greater detail in my post. But you can't just say something is insecure without exploiting it yourself.
Rook
@The Rook, thanks I didn't know about the grsecurity patches. When I was looking for information about chroot on the net there were tons of ways to get over it so it felt really insecure, but once grsecurity patches applied it seems a viable alternative, thanks.
attwad
A: 

This is inherently insecure software. By letting users upload scripts you are introducing a remote code execution vulnerability. You have more to worry about than just modifying files, whats stopping the python script from accessing the network or other resources?

To solve this problem you need to use a sandbox. To better harden the system you can use a layered security approach.

The first layer, and the most important layer is a python sandbox. User supplied scripts will be executed within a python sandbox. This will give you the fine grained limitations that you need. Then, the entire python app should run within its own dedicated chroot. I highly recommend using the grsecurity kernel modules which improve the strength of any chroot. For instance a grsecuirty chroot cannot be broken unless the attacker can rip a hole into kernel land which is very difficult to do these days. Make sure your kernel is up to date.

The end result is that you are trying to limit the resources that an attacker's script has. Layers are a proven approach to security, as long as the layers are different enough such that the same attack won't break both of them. You want to isolate the script form the rest of the system as much as possible. Any resources that are shared are also paths for an attacker.

Rook