Replacing open builtin

2005-05-11 Thread rmm 
If I replace the open builtin eg

import main
__main__.__builtins__.open=None

Is there any way, from here on, to access the original open function??

Extending this slightly, lets say I put a reference to the original
open function inside a class called Isolate and protect this reference
using __getattribute__ and __setattr__.  Is the original function now
isolated and only able to be referenced within Isolate.

In summary, are there any references to builtin functions others than
through __builtins__ and is __getattribute__, __setattr__ secure

Regards

RMM

-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Replacing open builtin

2005-05-11 Thread rmm 
Sorry, should maybe have used __import__ as an example.
Let's say I grab import, store the reference within the Isolate class
and then redirect the builtin import to a function in the Isolate class
which only allows certain modules to be imported -eg not sys.   Would
this be secure?

-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Replacing open builtin

2005-05-11 Thread rmm 
I had a quick look at the python source code and fileobject.c is one of
the core classes which, I would imagine, is why a reference can be
obtained.  The other classes (method, dictionaries etc) don't look so
much of a liability.  I'll maybe try disabling the fopen calls in
fileobject and see if it breaks anything (I've no need to open/close
files using the standard libraries).

Are there any other holes you can think of in the following scenario-
I disable all builtins except import which I protect in my 'Isolate'
class, I then only allow import to import a single module name.

Thanks for the speedy and informative replies.

RMM

-- 
http://mail.python.org/mailman/listinfo/python-list

Re: Replacing open builtin

2005-05-11 Thread rmm 
Sorry, didn't mean to pester Jp

I have checked the archives, Rexec copies __builtins__, causing the del
__builtins__ issue.  I'm modifying the lowest level__builtins__.
I am also using __getAttribute__ and __setAttr__, I could find no
mention of security holes on the lists.

Let me re-state the question:
1. Once I've set all builtins except Import to None.  Is there any way
of re-binding these built-ins if import is restricted to a single
module?
2. Are classed protected using __getAttribute__ and __setAttr__ secure

If these questions have been asked already, could you point me to
where?

-Ronnie

-- 
http://mail.python.org/mailman/listinfo/python-list

Trusted python

2005-05-13 Thread rmm 
Here's a first attempt at trusted python.  I would be grateful if any
python gurus could point out the, no doubt obvious, flaws.
I've stopped fileobject working with patches to fileobject and
frameobject.  All child frames of the first 'trusted' frame are trusted
(checked using inspect.getouterframes(inspect.currentframe()).  Trusted
is a one-way switch.

Is there anything I'm missing about the python frame structure?
Is there any way of circumventing __getattribute__/__setattr__ ?
Is there any way of getting to builtins once the imported __builtin__
methods are replaced?

Regards

Ronnie Mackay


--Use example
import trusted
import inspect

l_trusted=trusted.Trusted(inspect.currentframe(),

['eval','reload','compile','input','execfile'],
  [])

<...Attacks here...>

--- trusted.py ---
import __builtin__


class TrustedException(Exception): pass
class TrustedImportException(Exception): pass


class Trusted(object):

   def __init__(self, in_main_frame, in_exclude_builtins, in_modules):
  in_main_frame.trusted()   # **NOTE C PATCH. REMOVE THIS TO RUN
UNPATCHED
  object.__setattr__(self, '_m', in_modules)
  object.__setattr__(self, '_import', __builtin__.__import__)
  for l_builtin in
in_exclude_builtins:#__main__.__builtins__.__dict__.keys():
 __builtin__.__dict__[l_builtin]=object.__getattribute__(self,
'error')
  __builtin__.__import__=object.__getattribute__(self,
'trusted_import')


   def error(self, *args):
  raise TrustedException

   def trusted_import(self, in_name, in_globals=None, in_locals=None,
in_as=None):
  l_globals=in_globals or globals()
  l_locals=in_locals or locals()
  l_as=in_as or []
  if in_name in object.__getattribute__(self, '_m'):
 return object.__getattribute__(self, '_import')(in_name,
l_globals, l_locals, l_as)
  else:
 raise TrustedImportException(in_name)

   def __setattr__(self, name, value):
  raise TrustedException

   def __getattribute__(self, name):
  if name != 'trusted_import':
 raise TrustedException
  return object.__getattribute__(self, name)


 attempts to open a file ---
NOTE: These can't be reproduced without patching python

Test :open('/dev/null') in the main module
Result :file() constructor not accessible in trusted mode
(exceptions.IOError)

Test : within an imported module, open('/dev/null')
Result :file() constructor not accessible in trusted mode
(exceptions.IOError)

Test :exec "open('/dev/null')"
Result :file() constructor not accessible in trusted mode
(exceptions.IOError)

Test :get file from base types
[(1).__class__.__bases__[0].__subclasses__()[-4]('/dev/null')]
Result :file() constructor not accessible in trusted mode
(exceptions.IOError)

-- 
http://mail.python.org/mailman/listinfo/python-list