Re: Python CGI sandboxing advice (packaging of Online Python Tutor)
Hi.
Jakub Wilk <jwilk@debian.org> writes:
> * Jakub Wilk <jwilk@debian.org>, 2014-02-13, 00:27:
>>>The CGI's code is supposed to be safeguarding against abuse,
>>The protection is not very good. (I'll disclose the details later.)
>
> The exploit I had in mind was:
>
> import re
> from re import sys
> imp = re.sys.modules['imp']
> posix = imp.load_dynamic('', 'posix')
>
> which gives you access to the goodies of the posix module. There's a
> resource limit that prevents you from opening any file, but you can do
> chmod(), chown(), remove(), rename(), kill(), …
>
> Apparently this is now fixed:
> https://github.com/pgbovine/OnlinePythonTutor/commit/eab7cb1c717a
>
> I wouldn't be surprised if there were other clever ways to bypass OPT's
> security restrictions, and upstream doesn't seem to confident about this
> code either.
Thanks for sharing this. I'll have to read about re.sys (WTF ?)...
FWIW, I've put a hold to my tests of packaging OPT, while I was
investigating the use of Docker for sandboxing Web apps in its
containers.
For instance, I've been playing with FusionForge's mediawiki (including
its PostgreSQL and Apache dependencies) in such an environment, and it
seems one possible way...
I'm not sure whether others have similar plans using Docker for
something that could be done "the debian way". Probably deserves another
post.
Best regards,
--
Olivier BERGER
http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)
Reply to: