Safe Python Environment in Linux

Question

Is it possible to create an environment to safely run arbitrary Python scripts under Linux? Those scripts are supposed to be received from untrusted people and may be too large to check them manually.

A very brute-force solution is to create a virtual machine and restore its initial state after every launch of an untrusted script. (Too expensive.)

I wonder if it's possible to restrict Python from accessing the file system and interacting with other programs and so on.

Answer 1

Try searching for "sandboxing python", e.g.:

http://wiki.python.org/moin/SandboxedPython

http://wiki.python.org/moin/How%20can%20I%20run%20an%20untrusted%20Python%20script%20safely%20(i.e.%20Sandbox)

Answer 2

Consider using a chroot jail. Not only is this very secure, well-supported and tested but it also applies to external applications you run from python.

Answer 3

You could run jython and use the sandboxing mechanism from the JVM. The sandboxing in the JVM is very strong very well understood and more or less well documented. It will take some time to define exactly what you want to allow and what you dnt want to allow, but you should be able to get a very strong security from that ...

On the other side, jython is not 100% compatible with cPython ...

Answer 4

There are 4 things you may try:

• As you already mentioned, using a virtual machine or some other form of virtualisation (perhaps solaris zones are lightweight enough?). If the script breaks the OS there then you don't care.
• Using chroot, which puts a shell session into a virtual root directory, separate from the main OS root directory.
• Using systrace. Think of this as a firewall for system calls.
• Using a "jail", which builds upon systrace, giving each jail it's own process table etc.

Systrace has been compromised recently, so be aware of that.