17.1.2 Defining restricted environments
The RExec class has the following class attributes, which are used
by the __init__() method. Changing them on an existing instance won't
have any effect; instead, create a subclass of RExec and assign them
new values in the class definition. Instances of the new class will then use those new values.
All these attributes are tuples of strings.
- Contains the names of built-in functions which will not be available to programs
running in the restricted environment. The value for RExec is
'reload', '__import__'). (This gives the exceptions, because by far the majority of
built-in functions are harmless. A subclass that wants to override this variable should
probably start with the value from the base class and concatenate additional forbidden
functions -- when new dangerous built-in functions are added to Python, they will also be
added to this module.)
- Contains the names of built-in modules which can be safely imported. The value for RExec is
('audioop', 'array', 'binascii', 'cmath', 'errno', 'imageop',
'marshal', 'math', 'md5', 'operator', 'parser', 'regex', 'rotor', 'select', 'sha', '_sre',
'strop', 'struct', 'time'). A similar remark about overriding this variable applies
-- use the value from the base class as a starting point.
- Contains the directories which will be searched when an import
is performed in the restricted environment. The value for RExec is
the same as
sys.path (at the time the module is loaded) for unrestricted
- Contains the names of the functions in the os
module which will be available to programs running in the restricted environment. The
value for RExec is
('error', 'fstat', 'listdir', 'lstat', 'readlink',
'stat', 'times', 'uname', 'getpid', 'getppid', 'getcwd', 'getuid', 'getgid', 'geteuid', 'getegid').
- Contains the names of the functions and variables in the sys module which will be available to programs running in
the restricted environment. The value for RExec is
'ps2', 'copyright', 'version', 'platform', 'exit', 'maxint').
- Contains the file types from which modules are allowed to be loaded. Each file type is
an integer constant defined in the imp
module. The meaningful values are PY_SOURCE, PY_COMPILED, and C_EXTENSION. The value
for RExec is
(C_EXTENSION, PY_SOURCE). Adding PY_COMPILED in subclasses is not recommended; an attacker could exit
the restricted execution mode by putting a forged byte-compiled file (.pyc)
anywhere in your file system, for example by writing it to /tmp
or uploading it to the /incoming directory of your public FTP