28.1.2 Defining restricted environments
The RExec class has the following class attributes, which are used by the __init__() method. Changing them on an existing instance won't have any effect; instead, create a subclass of RExec and assign them new values in the class definition. Instances of the new class will then use those new values. All these attributes are tuples of strings.
-
Contains the names of built-in functions which will not be
available to programs running in the restricted environment. The
value for RExec is
('open', 'reload', '__import__')
. (This gives the exceptions, because by far the majority of built-in functions are harmless. A subclass that wants to override this variable should probably start with the value from the base class and concatenate additional forbidden functions -- when new dangerous built-in functions are added to Python, they will also be added to this module.)
-
Contains the names of built-in modules which can be safely imported.
The value for RExec is
('audioop', 'array', 'binascii', 'cmath', 'errno', 'imageop', 'marshal', 'math', 'md5', 'operator', 'parser', 'regex', 'select', 'sha', '_sre', 'strop', 'struct', 'time')
. A similar remark about overriding this variable applies -- use the value from the base class as a starting point.
-
Contains the directories which will be searched when an import
is performed in the restricted environment.
The value for RExec is the same as
sys.path
(at the time the module is loaded) for unrestricted code.
-
Contains the names of the functions in the os module which will be
available to programs running in the restricted environment. The
value for RExec is
('error', 'fstat', 'listdir', 'lstat', 'readlink', 'stat', 'times', 'uname', 'getpid', 'getppid', 'getcwd', 'getuid', 'getgid', 'geteuid', 'getegid')
.
-
Contains the names of the functions and variables in the sys
module which will be available to programs running in the restricted
environment. The value for RExec is
('ps1', 'ps2', 'copyright', 'version', 'platform', 'exit', 'maxint')
.
-
Contains the file types from which modules are allowed to be loaded.
Each file type is an integer constant defined in the imp module.
The meaningful values are PY_SOURCE, PY_COMPILED, and
C_EXTENSION. The value for RExec is
(C_EXTENSION, PY_SOURCE)
. Adding PY_COMPILED in subclasses is not recommended; an attacker could exit the restricted execution mode by putting a forged byte-compiled file (.pyc) anywhere in your file system, for example by writing it to /tmp or uploading it to the /incoming directory of your public FTP server.
See About this document... for information on suggesting changes.