Chroot and Python discussion and random pyc thoughts

by jesse in ,


Since I'm finally back from another exciting edition of almost-labor at the hospital and catching up, I thought I would point out a discussion on python-dev about chroot jails and python. Interesting information and tangentially related to some of my thoughts on the .pyc location stuff. The conversation is going on here and you can view some other information.

If course, there's a shout out to Brett's security work too.

Here's is the wiki page referenced in the thread: How can I run an untrusted Python script safely (i.e. Sandbox)

A lot of the utilities are interesting, but I'm still interested in the byte-code location of things.

Some thoughts on my pyc thing: - One thing to note, is that if the user running the python interpreter does not have write (+w) access to the directory the imported .py is located in, the .pyc/.pyo file is not written. A .pyc file is an optimization for module loading only.

Since this is the case, is worrying about layered filesystems/storing .pyc files in "other" directories really that hot of an issue for me? Maybe. I'd still like to see if I can get the wherewithal to drive pep 304 forward - I'd still like to be able to control where to put things, but if you use compileall() and ship the .pyo/.pyc stuff *or* you just make sure the daemon that's invoking the interpreter does not have +w on it's script/binary directory (which it shouldn't) you could be ok.