views:

109

answers:

7

Hello, I'd like to make a website where people could upload their Python scripts. Of course I'd like to execute those scripts. Those scripts should do some interesting work. The problem is that people could upload scripts that could harm my server and I'd like to prevent that. What is the option to run arbitrary scripts without harming my system - actually without seeing my system at all? Thank you

+3  A: 

"Can't be done."

Running arbitrary (untrusted) scripts and staying safe is a contradiction. You should go as far as using custom kernels, jails, vms, the like.

You can look at how http://codepad.org/about does it, it's a lot of work.

ikanobori
Wow, that was helpful. After your post I'm thinking of writing my own pseudo-language similar to Python to achieve my goal...
maliperica
You could tinker with the latest PyPy additions but I was assuming you wanted to offer access to cpython.
ikanobori
Not really, I'd just like people to submit their code and evaluate if afterwards.... (run it and see what it does) Anyway, I'd just like to make it possible to upload some code and test it - without doing any damage - anything that lot's of people is familiar with
maliperica
+1  A: 

http://codespeak.net/pypy/dist/pypy/doc/sandbox.html

Ricky Demer
Does it really work? Did you try it?
maliperica
I use Python, but I've never tried it. (never had a reason too)
Ricky Demer
A: 

"Can't be done," is too harsh. JavaScript engines live in your web browser and they accept and run untrusted scripts safely. There's always the possibility of exploits, but in correct engine operation they are innocuous. There are even "slow script" checks that prevent infinite loops from denial-of-service attacking your browser, making those little alert dialogs.

Google App Engine runs a sandboxed version of the Python VM which effectively removes all the naughty native bits that let you get at the underlying system. To do this yourself in a safe manner would take some Python VM expertise.

For sanity, you could start off by removing all builtins and whitelisting the ones you want to allow users once you certify they don't touch the underlying system.

It feels like something somebody must have already done, but I don't know of any existing project that does it. :-/

cdleary
It has been tried and you can't do it properly without walking the VM/PyPy/codepad way. You'll need to disallow silly stuff like `__builtins__.__import__('sys').exit()` and the numerous other ways to get at it (locals() and the like). Also, without crippling the interpreter itself.
ikanobori
So you're saying you can't do it properly without doing it properly? That much I figured. ;-)
cdleary
2 problems: 1) javascript engines are designed ground-up as a client-side script, python is not; 2) javascript lives in your web browser, and he is asking running untrusted python server-side. I'd agree that it's doable, though it would require quite a lot of work and limits a lot of stuffs.
Lie Ryan
A: 

Brett Cannon has a tentative design for doing this, last I knew, but it has not been developed. So unless you're looking to put a LOT of effort into making this happen, there currently isn't a solution publicly available.

Brett's blog is at: http://sayspy.blogspot.com/ if you want to try to read up on it, I couldn't find a direct link to his discussions about the new security design. I can't recall if I read his blog talking about it, or if it was in person where he mentioned it, sorry.

There used to be some restricted execution abilities, but they were dropped because they just didn't work.

It's not impossible to do, but it's not something that Python is able to do right now. It's something people would like, but it's not really a high priority from what I've seen.

Sean Reifschneider
AFAICR, the plan was dropped because there is no way to guarantee such safety from Python itself, and an externally-enforced sandbox should be the way to go for any real security.
Lie Ryan
Yes, that is what I meant by "they just didn't work". Sorry I wasn't more clear there. I wouldn't agree that there's no way to guarantee such safety from Python, I believe Brett has a plan that would allow it, but I'd have to defer to him for the details of it one way or another.
Sean Reifschneider
A: 

trypython.org (BSD licensed source here) does a safe browser oriented version of such a sanbox in IronPython (via Silverlight/Moonlight). You may be able to mash together a headless version of this for use on a server -- but you could definitely let users distribute scripts between each other, or you could distribute these scripts to be executed within the plugin environment.

bvmou
+1  A: 

there are quite a lot of web-server running untrusted python codes nowadays:

you may want to look at how they approached their problems.

or you may want to look at a different approach:

  • http://pyjs.org/ - pyjamas - python-to-javascript compiler (running client-side, switch the security problem to their side)
Lie Ryan
A: 

I think the way to do this is to run those scripts in normal Python shell, but on a virtual machine. I might be biased, because my "job" is currently to play around with VMs (universities are great!).

A new VM instance can be created and started in seconds. If you keep a few around and replace only those that get broken, you have good service, absolute security and almost no effort.

But there is one thing: Virtually all web hosts today are virtual machines and they don't support another virtual machine inside. You need a real, physical server to do this.

THC4k