Chroot Jail对于沙盒Python不安全? [英] Chroot Jail Not Secure for Sandboxing Python?
问题描述
这个wiki页面建议使用chroot jail来沙箱Python,但是
在你的沙盒Python实例中不会运行这样的东西
仍然会让你失控chroot jail:
os.execle(''/ usr / bin / python'','' - c'',''import os; os.execlp(" / bin / sh)'',
{})
或者可能:
del os.environ [''LD_PRELOAD'']
os.execl(''/ usr / bin / python'','' - c'',''import os; os.execlp(" / bin) / sh)'')
我的ISP建议将这些作为我的chroot
监狱请求的反例。 (我甚至无法让chroot中的Python运行来测试这个,也不是我可以在Ubuntu上用Python在本地运行这些命令,尽管也许
他们打开了吗? )
那么一个chroot监狱不适合沙盒Python?
-Greg
This wiki page suggests using a chroot jail to sandbox Python, but
wouldn''t running something like this in your sandboxed Python instance
still break you out of the chroot jail:
os.execle (''/usr/bin/python'',''-c'',''import os; os.execlp("/bin/sh")'',
{})
or maybe:
del os.environ[''LD_PRELOAD'']
os.execl (''/usr/bin/python'',''-c'',''import os; os.execlp("/bin/sh")'')
My ISP suggested these as counter-examples to my request for a chroot
jail. (I couldn''t even get Python running in chroot to test this, nor
could I run these commands locally in Python on Ubuntu, though maybe
they opened sh?)
So is a chroot jail not adequate for sandboxing Python?
-Greg
推荐答案
6月25日上午1:21,gregpin ... @ gmail.com < gregpin ... @ gmail.com>
写道:
On Jun 25, 1:21 am, "gregpin...@gmail.com" <gregpin...@gmail.com>
wrote:
这个维基页面建议使用chroot jail来沙箱Python,但是
在你的沙盒Python实例中不会运行这样的东西
仍然会让你离开chroot监狱:
os.execle(''/ usr / bin / python'','' - c'',''import os; os.execlp(" / bin / sh")'',
{})
或者可能:
del os.environ [''LD_PRELOAD'']
os .execl(''/ usr / bin / python'','' - c'',''import os; os.execlp(" / bin / sh")'')
我的ISP建议这些作为我的chroot
监狱请求的反例。 (我甚至无法让chroot中的Python运行来测试这个,也不是我可以在Ubuntu上用Python在本地运行这些命令,尽管也许
他们打开了吗? )
那么一个chroot监狱不适合沙盒Python?
-Greg
This wiki page suggests using a chroot jail to sandbox Python, but
wouldn''t running something like this in your sandboxed Python instance
still break you out of the chroot jail:
os.execle (''/usr/bin/python'',''-c'',''import os; os.execlp("/bin/sh")'',
{})
or maybe:
del os.environ[''LD_PRELOAD'']
os.execl (''/usr/bin/python'',''-c'',''import os; os.execlp("/bin/sh")'')
My ISP suggested these as counter-examples to my request for a chroot
jail. (I couldn''t even get Python running in chroot to test this, nor
could I run these commands locally in Python on Ubuntu, though maybe
they opened sh?)
So is a chroot jail not adequate for sandboxing Python?
-Greg
编辑:Google网页删除了网址。它是
http://wiki.python.org /moin/How_can_..._(ie_Sandbox )
(或者在Python wiki上标题为this的页面,如果它再次删除url
) )
如何安全地运行不受信任的Python脚本(即Sandbox)
-Greg
Google groups stripped out the URL. It''s
http://wiki.python.org/moin/How_can_..._(i.e._Sandbox)
(or the page titled this on the Python wiki if it strips out the url
above again)
"How can I run an untrusted Python script safely (i.e. Sandbox)"
-Greg
gr********@gmail.com schrieb:
gr********@gmail.com schrieb:
这个wiki页面建议使用chroot jail来沙箱Python,但是
在你的沙盒Python实例中不会运行这样的东西
仍然让你离开chroot监狱:
os.execle(''/ usr / bin / python'','' - c'' ,''import os; os.execlp(" / bin / sh")'',
{})
This wiki page suggests using a chroot jail to sandbox Python, but
wouldn''t running something like this in your sandboxed Python instance
still break you out of the chroot jail:
os.execle (''/usr/bin/python'',''-c'',''import os; os.execlp("/bin/sh")'',
{})
取决于如何设置chroot监狱up,这个命令可能不会
工作 - 在监狱里,/ bin / sh可能不存在。
Depending on how the chroot jail is set up, this command might not
work - in the jail, /bin/sh might not exist.
或者可能:
del os.environ [''LD_PRELOAD'']
os.execl(''/ usr / bin / python'','' - c'', ''导入os; os.execlp(" / bin / sh")'')
or maybe:
del os.environ[''LD_PRELOAD'']
os.execl (''/usr/bin/python'',''-c'',''import os; os.execlp("/bin/sh")'')
如何删除LD_PRELOAD帮助? chroot不是库技巧。
这是在操作系统中实现的机制。
How could deleting LD_PRELOAD help? chroot is not a library trick.
It''s a mechanism implemented in the operating system.
所以chroot监狱不适合沙盒Python?
So is a chroot jail not adequate for sandboxing Python?
您必须定义威胁模型。如果要防止的威胁是恶意用户获取您的数据,或者通过您的文件传播病毒
,那么chroot就足够了。
问候,
Martin
You have to define your threat model. If the threat to prevent is
a malicious user getting at your data, or spreading a virus
through your files, then chroot is perfectly adequate.
Regards,
Martin
6月25日上午1:43,Martin v.L?wis < mar ... @ v.loewis.dewrote:
On Jun 25, 1:43 am, "Martin v. L?wis" <mar...@v.loewis.dewrote:
gregpin ... @ gmail.com schrieb:
gregpin...@gmail.com schrieb:
这个wiki页面建议使用chroot jail来沙箱Python,但是
在你的沙盒Python实例中不会运行这样的东西
仍然打破你离开chroot监狱:
This wiki page suggests using a chroot jail to sandbox Python, but
wouldn''t running something like this in your sandboxed Python instance
still break you out of the chroot jail:
os.execle(''/ usr / bin / python'','' - c'','' import os; os.execlp(" / bin / sh")'',
{})
os.execle (''/usr/bin/python'',''-c'',''import os; os.execlp("/bin/sh")'',
{})
取决于chroot的方式jail已设置,此命令可能不会工作 - 在监狱中,/ bin / sh可能不存在。
Depending on how the chroot jail is set up, this command might not
work - in the jail, /bin/sh might not exist.
这也是我的想法。我只是觉得这个命令有一些特殊的
,它带来了一个真实的命令。 Python intrepreter
然后到真正的/ bin / sh。这很奇怪,我的ISP似乎认为
这是一种突破的方法。我只需要在本地测试
就可以了。
This was my thought too. I just figured there was something special
about this command that brought one to the "real" Python intrepreter
and then to the real "/bin/sh". That''s odd, my ISP seem adament that
this is a way to break out. I''ll just have to put in the work to test
to locally I guess.
那么一个chroot监狱不适合沙盒Python吗?
So is a chroot jail not adequate for sandboxing Python?
您必须定义威胁模型。如果要防止的威胁是恶意用户获取您的数据,或者通过您的文件传播病毒
,那么chroot就足够了。
You have to define your threat model. If the threat to prevent is
a malicious user getting at your data, or spreading a virus
through your files, then chroot is perfectly adequate.
是的,听起来像我的威胁模型。也许会阻止某人从我的服务器发送垃圾邮件或DOS。
-Greg
Yeah, sounds like my threat model. Maybe prevent someone sending
spam, or DOS from my server too.
-Greg
这篇关于Chroot Jail对于沙盒Python不安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
