1

I have a Python virtualenv, and the Python executable is located in the /bin directory. In this virtualenv I'll have to execute some unsafe code, that can damage my system. I tried to chmod a-r on the virtualenv, and now nobody can write there, but its parent directory is now unprotected.
So I thought I could change permissions on /bin/python, so that it can write nowhere, how can I do this?
I tried chmod a-r bin/python but it is still allowed to remove files and directories even outside the env.

Mat
  • 52,586
rubik
  • 837

4 Answers4

2

Firstly, chmod a-r bin/python does not prevent python to remove files. It prevents anyone not owner or not in the correct group to read that file.

If you wish to run unsafe code in a "jail", I suggest using chroot jail. Bear in mind that in order for chroot to run effectively, python executable should not be ran under root privileges.

bbaja42
  • 2,800
  • As is emphasized on the page you link to, chroot doesn't provide the security that BSD jails do, and it might help if we stopped talking informally of "chroot jails". (AFAIK no-one uses that phrase officially either.) If the code might be malicious and deliberately try to escape a chroot, this won't give you any protection. But there are many use cases where that's not a concern; you just want to protect against possibly broken code, etc. In those cases a chroot is a good solutions. – dubiousjim Jan 12 '13 at 13:21
1

Python will run with the permissions of the user that invokes it, so you will never be able to limit what it can touch, manipulate and read.

Tim
  • 6,141
1

Actually, chmod a-r bin/python prevents the file's owner, those in the file's group, and all other users from reading the file (except the superuser of course). chmod o-r bin/python would prevent all users except the owner and those in the file's group from reading the file. The file permissions of an executable do not affect its ability to read or edit other files. File permissions only determine which users can read, write, and execute the files to which they are applied (and a few other things).

0

I see several options:

  • Use a virtual machine
  • Run inside a chroot
  • Run under a different user
  • Restrict with a LKM like apparmor.

they are compatible, so you could apply several ones.

As mentioned above, a chroot or a different user won't aboid network (ab)usage.

Additionally, note that the restrictions imposed on /usr/bin/python will affect all the python programs you run. You may be interested in using a different filename for locking down without affecting the rest of the system.

Ángel
  • 3,589