tags:

views:

131

answers:

3
+1  Q: 

faking a filesystem / virtual filesystem

I have a web service to which users upload python scripts that are run on a server. Those scripts process files that are on the server and I want them to be able to see only a certain hierarchy of the server's filesystem (best: a temporary folder on which I copy the files I want processed and the scripts).

The server will ultimately be a linux based one but if a solution is also possible on Windows it would be nice to know how.

What I though of is creating a user with restricted access to folders of the FS - ultimately only the folder containing the scripts and files - and launch the python interpreter using this user.

Can someone give me a better alternative? as relying only on this makes me feel insecure, I would like a real sandboxing or virtual FS feature where I could run safely untrusted code.

+2  A: 

You are probably best to use a virtual machine like VirtualBox or VMware (perhaps even creating one per user/session).

That will allow you some control over other resources such as memory and network as well as disk

The only python that I know of that has such features built in is the one on Google App Engine. That may be a workable alternative for you too.

gnibbler  2010-03-16 06:31:07
there is also pypy that provides a sandboxing feature but the libraries and python version don't match my needs unfortunately
attwad  2010-03-16 07:10:48
+4  A: 

Either a chroot jail or a higher-order security mechanism such as SELinux can be used to restrict access to specific resources.

Ignacio Vazquez-Abrams  2010-03-16 06:36:40
chroot jails can be too easily broken :(
attwad  2010-03-16 07:04:44
SELinux, however, is very hard to break. It's very hard to live with.
S.Lott  2010-03-16 10:11:05
Ignore attwad, Chroot is the way to go. If you use a grsecurity chroot then even if you can gain root within the chroot you can't "change root" out of the jail.
Rook  2010-03-16 20:08:21
@The Rook: attwad is the OP. If his beliefs are incorrect then you should correct them, not dismiss them.
Ignacio Vazquez-Abrams  2010-03-16 20:32:51
@Ignacio I went into greater detail in my post. But you can't just say something is insecure without exploiting it yourself.
Rook  2010-03-16 20:37:32
@The Rook, thanks I didn't know about the grsecurity patches. When I was looking for information about chroot on the net there were tons of ways to get over it so it felt really insecure, but once grsecurity patches applied it seems a viable alternative, thanks.
attwad  2010-03-17 02:40:44
A: 

This is inherently insecure software. By letting users upload scripts you are introducing a remote code execution vulnerability. You have more to worry about than just modifying files, whats stopping the python script from accessing the network or other resources?

To solve this problem you need to use a sandbox. To better harden the system you can use a layered security approach.

The first layer, and the most important layer is a python sandbox. User supplied scripts will be executed within a python sandbox. This will give you the fine grained limitations that you need. Then, the entire python app should run within its own dedicated chroot. I highly recommend using the grsecurity kernel modules which improve the strength of any chroot. For instance a grsecuirty chroot cannot be broken unless the attacker can rip a hole into kernel land which is very difficult to do these days. Make sure your kernel is up to date.

The end result is that you are trying to limit the resources that an attacker's script has. Layers are a proven approach to security, as long as the layers are different enough such that the same attack won't break both of them. You want to isolate the script form the rest of the system as much as possible. Any resources that are shared are also paths for an attacker.

Rook  2010-03-16 20:14:57

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security