Re: Python CGI sandboxing advice (packaging of Online Python Tutor)

To: <debian-python@lists.debian.org>
Cc: Paul Wise <pabs@debian.org>, debian-webapps@lists.debian.org
Subject: Re: Python CGI sandboxing advice (packaging of Online Python Tutor)
From: Olivier Berger <olivier.berger@telecom-sudparis.eu>
Date: Mon, 10 Feb 2014 10:51:04 +0100
Message-id: <[🔎] 87ob2fgut3.fsf_-_@inf-8660.int-evry.fr>
In-reply-to: <8761oo498f.fsf@inf-8660.int-evry.fr> (Olivier Berger's message of "Sun, 09 Feb 2014 16:05:36 +0100")
References: <874n4dbs2u.fsf@inf-8660.int-evry.fr> <CAKTje6GA1gyPq-qiD1jDjxWVUVzHdh4eGoK3GgBSnAyxWFaa8A@mail.gmail.com> <CAKTje6Fni3EyW1tO7rOzvGGH500g=NHJ=QfTeHRnNxOTu-vX2Q@mail.gmail.com> <8761oo498f.fsf@inf-8660.int-evry.fr>

Hi.

I'm looking for advice on how to package the Online Python Tutor's
backend server which can execute arbitrary Python scripts submitted by
the user.

The CGI's code is supposed to be safeguarding against abuse, but I think
some sandboxing would be better at the CGI invocation for additional
security.

I forgot to CC: this list.

Any advices (beyond Paul's) ?

Thanks in advance.

Best regards,

Olivier Berger <olivier.berger@it-sudparis.eu> writes:

> Hi.
>
> Paul Wise <pabs@debian.org> writes:
>
>> On Thu, Feb 6, 2014 at 8:43 AM, Paul Wise wrote:
>>
>>> Which CGI are we talking about? Perhaps we can give more specific advice.
>>
>> I guess you mean Online Python Tutor (#737732).
>>
>
> Damn BTS ;) Indeed, I was considering OPT.
>
>> Looking at the git repo, it includes a lot of embedded code copies of
>> various JavaScript libraries and other code. As per policy 4.13 those
>> should be packaged separately.
>>
>> https://wiki.debian.org/EmbeddedCodeCopies
>>
>
> Sure.
>
>> I see some places where it uses os.system(). That should switch to
>> using the subprocess module with shell disabled.
>>
>> The idea of this software is a bit concerning to me, it sounds like it
>> runs arbitrary Python code on the server and passes the results back
>> to the web. 
>
> Exactly.
>
>> I would suggest auditing it to ensure that it isn't one
>> giant security hole. Please get CVEs for any issues that you find.
>>
>> http://oss-security.openwall.org/wiki/disclosure/cve
>>
>
> Yes, it is indeed something that might be problematic.
>
> AFAICS for now, it uses a withelist of python modules that are allowed
> (see [0]).
>
> That looks safe at first sight, but I fear there could be some kind of
> exploits if the "safe" modules have flaws...
>
> I'm not an expert in Python code security so I'd welcome any advices.
>
>
> In this respect, I can see the benefit of running it over a PaaS
> solution like Google App Engine (which is advertized by upstream
> author's site) in this respect, given that those Python execution
> environments may naturally be sandboxed, etc.
>
>
> Maybe a CGI sandboxing solution could be advised, for running over a
> "normal" Debian system ?
>
> Thanks in advance.
>
> Best regards,
>
> [0] https://github.com/pgbovine/OnlinePythonTutor/blob/master/v3/pg_logger.py#L112

-- 
Olivier BERGER 
http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)

Reply to:

Follow-Ups:
- Re: Python CGI sandboxing advice (packaging of Online Python Tutor)
  - From: Jakub Wilk <jwilk@debian.org>

Prev by Date: Re: Dependency on python-oauth2
Next by Date: Re: Dependency on python-oauth2
Previous by thread: Re: Dependency on python-oauth2
Next by thread: Re: Python CGI sandboxing advice (packaging of Online Python Tutor)
Index(es):
- Date
- Thread