堆栈内存溢出
  简体   繁体   English

Linux中的安全Python环境

[英]Safe Python Environment in Linux

 原文  2009-05-20 08:50:11       python/ linux/ runtime/ sandbox/ restriction

问题描述

Is it possible to create an environment to safely run arbitrary Python scripts under Linux? 是否有可能创建一个在Linux下安全运行任意Python脚本的环境? Those scripts are supposed to be received from untrusted people and may be too large to check them manually. 这些脚本应该是从不受信任的人那里接收的,并且可能太大而无法手动检查它们。

A very brute-force solution is to create a virtual machine and restore its initial state after every launch of an untrusted script. 一个非常强力的解决方案是创建虚拟机并在每次启动不受信任的脚本后恢复其初始状态。 (Too expensive.) (太贵了。)

I wonder if it's possible to restrict Python from accessing the file system and interacting with other programs and so on. 我想知道是否可以限制Python访问文件系统并与其他程序交互等等。

5 个解决方案

解决方案1
 4 已采纳  2009-05-20 09:05:05

Consider using a chroot jail. 考虑使用chroot监狱。 Not only is this very secure, well-supported and tested but it also applies to external applications you run from python. 这不仅非常安全,受到良好支持和测试,而且还适用于从python运行的外部应用程序。

解决方案2
 4  2009-05-20 09:48:15

There are 4 things you may try: 您可以尝试以下四种方法:

  • As you already mentioned, using a virtual machine or some other form of virtualisation (perhaps solaris zones are lightweight enough?). 正如您已经提到的,使用虚拟机或其他形式的虚拟化(也许solaris区域足够轻便?)。 If the script breaks the OS there then you don't care. 如果脚本打破了操作系统那么你就不在乎了。
  • Using chroot, which puts a shell session into a virtual root directory, separate from the main OS root directory. 使用chroot将shell会话放入虚拟根目录,与主OS根目录分开。
  • Using systrace. 使用systrace。 Think of this as a firewall for system calls. 可以将其视为系统调用的防火墙。
  • Using a "jail", which builds upon systrace, giving each jail it's own process table etc. 使用基于systrace构建的“jail”,为每个jail提供自己的进程表等。

Systrace has been compromised recently, so be aware of that. Systrace最近受到了损害,所以要注意这一点。

解决方案3
 2  2009-05-20 09:44:35

You could run jython and use the sandboxing mechanism from the JVM. 您可以运行jython并使用JVM中的沙盒机制。 The sandboxing in the JVM is very strong very well understood and more or less well documented. JVM中的沙箱非常强大,非常好理解,并且或多或少地记录在案。 It will take some time to define exactly what you want to allow and what you dnt want to allow, but you should be able to get a very strong security from that ... 需要一些时间来准确定义您想要允许的内容以及您想要允许的内容,但是您应该能够从中获得非常强大的安全性......

On the other side, jython is not 100% compatible with cPython ... 另一方面,jython与cPython不是100%兼容...

解决方案4
 1  2011-03-13 14:18:06

难道你不能只是作为一个除了该目录中的脚本之外的任何东西都无法访问的用户运行吗?

解决方案5
 1  2009-05-20 08:54:45

Try searching for "sandboxing python", eg: 尝试搜索“sandboxing python”,例如:

http://wiki.python.org/moin/SandboxedPython http://wiki.python.org/moin/SandboxedPython

http://wiki.python.org/moin/How%20can%20I%20run%20an%20untrusted%20Python%20script%20safely%20(ie%20Sandbox) http://wiki.python.org/moin/How%20can%20I%20run%20an%20untrusted%20Python%20script%20safely%20(ie%20Sandbox)

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Linux上的Python中的环境变量 - Environment Variables in Python on Linux 在python中“绑定”环境变量的安全方法是什么? - What is a safe way to “bound” environment variable in python? 如何在Linux上配置Python环境? - How to configure Python environment on Linux? Python Flask Socket Error(Linux环境新手) - Python Flask Socket Error (new to Linux environment) 使用python脚本在Linux环境中添加$ PATH - Add in $PATH for linux environment using python script 适用于 Window 和 Linux 的 Python 虚拟环境 Shebang - Python Virtual Environment Shebang for Window and Linux 在线程中使用python在LINUX中设置环境变量 - Setting Environment variable in LINUX using python in threads Windows 10 for Linux环境上的Python编程 - Python programming on Windows 10 for Linux environment 如何在 Linux 上访问环境变量值 Python? - How to access environment variable values Python on Linux? 使用python永久添加的linux环境vars - linux Environment vars permanently added using python
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM