Python:使用chroot和chjail保护不受信任的脚本/子进程吗? [英] Python: Securing untrusted scripts/subprocess with chroot and chjail?

问题描述

我正在编写基于Python的Web服务器，该服务器应该能够执行插件"，以便可以轻松扩展功能.

I'm writing a web server based on Python which should be able to execute "plugins" so that functionality can be easily extended.

为此，我认为该方法具有多个文件夹(每个插件一个)和大量的shell/python脚本，这些脚本以针对可能发生的不同事件的预定义名称进行命名.

For this I considered the approach to have a number of folders (one for each plugin) and a number of shell/python scripts in there named after predefined names for different events that can occur.

一个示例是拥有一个on_pdf_uploaded.py文件，该文件在将PDF上传到服务器时执行.为此，我将使用Python的 subprocess 工具.

One example is to have an on_pdf_uploaded.py file which is executed when a PDF is uploaded to the server. To do this I would use Python's subprocess tools.

为了方便和安全起见，这使我可以使用Unix环境变量来提供更多信息，并设置进程的工作目录(cwd)，以便它可以访问正确的文件而不必查找它们的位置.

For convenience and security, this would allow me to use Unix environment variables to provide further information and set the working directory (cwd) of the process so that it can access the right files without having to find their location.

由于插件代码来自不受信任的来源，因此我想使其尽可能地安全.我的想法是在子进程中执行代码，但将其与其他用户一起放入chroot监狱，以使其无法访问服务器上的任何其他资源.

Since the plugin code is coming from an untrusted source, I want to make it as secure as possible. My idea was to execute the code in a subprocess, but put it into a chroot jail with a different user, so that it can't access any other resources on the server.

不幸的是，我对此一无所获，也不想依靠不受信任的脚本将自己关进监狱.

Unfortunately I couldn't find anything about this, and I wouldn't want to rely on the untrusted script to put itself into a jail.

此外，我也无法将main/calling进程放入chroot监狱，因为在服务器响应其他请求时，插件代码可能同时在多个进程中执行.

Furthermore, I can't put the main/calling process into a chroot jail either, since plugin code might be executed in multiple processes at the same time while the server is answering other requests.

这就是问题:如何在具有最小特权的chroot监狱中执行子进程/脚本，以保护服务器的其余部分免受错误的，不受信任的代码的破坏?

So here's the question: How can I execute subprocesses/scripts in a chroot jail with minimum privileges to protect the rest of the server from being damaged by faulty, untrusted code?

谢谢！

推荐答案

创建监狱后，您将从Python源调用os.chroot进入监狱.但是即使那样，解释器已经打开的任何共享库或模块文件仍然会打开，并且我不知道通过os.close关闭这些文件的后果是什么.我从未尝试过.

After creating your jail you would call os.chroot from your Python source to go into it. But even then, any shared libraries or module files already opened by the interpreter would still be open, and I have no idea what the consequences of closing those files via os.close would be; I've never tried it.

即使这行得通，设置chroot也很重要，因此请确保所获得的好处物有所值.在最坏的情况下，您必须确保整个Python运行时以及打算使用的所有模块以及所有依赖程序和共享库以及/bin，/lib等中的其他文件在每个监禁的文件系统中均可用.当然，这样做不会保护其他类型的资源，即网络目标，数据库.

Even if this works, setting up chroot is a big deal so be sure the benefit is worth the price. In the worst case you would have to ensure that the entire Python runtime with all modules you intend to use, as well as all dependent programs and shared libraries and other files from /bin, /lib etc. are available within each jailed filesystem. And of course, doing this won't protect other types of resources, i.e. network destinations, database.

另一种选择是将不可信代码作为字符串读取，然后exec code in mynamespace读入，其中mynamespace是仅定义要向不可信代码公开的符号的字典.这将是Python VM中的牢狱之灾".您可能必须首先解析源代码以查找类似import语句的内容，除非替换内置的__import__函数会拦截该内容(我不确定).

An alternative could be to read in the untrusted code as a string and then exec code in mynamespace where mynamespace is a dictionary defining only the symbols you want to expose to the untrusted code. This would be sort of a "jail" within the Python VM. You might have to parse the source first looking for things like import statements, unless replacing the built-in __import__ function would intercept that (I'm unsure).

这篇关于Python:使用chroot和chjail保护不受信任的脚本/子进程吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！