What about using exec builtin function and writing a custom import hook? Just thinking off the top of my head. 


On 2 February 2013 23:39, PAX <onkelpax-jython@yahoo.de> wrote:
Thanks for all your advices and hints!

Cheers

PAX


Gesendet: 22:17 Samstag, 2.Februar 2013
Betreff: Re: [Jython-users] How to restrict accessible packages

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/02/2013 05:47 PM, PAX wrote:
> The problem is, that I want to run untrusted Jython user code on a
> server machine. There's a small API that should be used by the
> user. The web application itselfs needs access to different Java
> classes (e.g. java.io.*). But the user code must be restricted.
>
> Furthermore, I need to restrict the maximum heap for the user
> code.

> Possibly, this is only realizable with a separte JVM.

Yes, that sounds like the right approach: A separate JVM with a
special SecurityManager and Classloader. You probably also want to
kill the program if it does not terminate within a given time.

Another good security measure is to use strict interfaces for passing
calls and messages, and to enforce the interface using defensive
programming. I don't know your application, but if you don't
necessarily need a programming language the user can input, a simple
declarative language you can parse yourself would be safer.

Cheers,
      Johannes

PS: some more potentially useful links:
http://stackoverflow.com/questions/1715036/how-do-i-create-a-java-sandbox
http://stackoverflow.com/questions/4249063/how-can-i-run-an-untrusted-c-program-in-a-sandbox-in-linux

> *Von:* Johannes Buchner <buchner.johannes@gmx.at> *An:*
> jython-users@lists.sourceforge.net *Gesendet:* 17:24 Samstag,
> 2.Februar 2013 *Betreff:* Re: [Jython-users] How to restrict
> accessible packages
>
> On 02/02/2013 05:11 PM, PAX wrote:
>> Hi friends of Jython
>
>> I've got a question: Is it possible to let Jython restrict the
>> access to specific Java packages? For instance, how can I tell
>> Jython to reject the usage of classes from "java.io.*" in user
>> code?
>
> Perhaps you can achieve what you want using Java permissions:
>
> http://docs.oracle.com/javase/6/docs/technotes/guides/security/PolicyFiles.html
>

> http://docs.oracle.com/javase/6/docs/technotes/guides/security/permissions.html#FilePermission
>
>  Can you elaborate why you want to restrict access to java.io? I
> think if you try to cripple Jython, you will run into many issues
> and it may not even run. Permissions seem to be the right way (TM)
> to restrict IO.
>
> Cheers, Johannes
>
>
>> Is this possible?
>
>> Cheers
>
>> PAX
>
>
>
> ------------------------------------------------------------------------------
>
>
>
> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics Download AppDynamics
>> Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan
>
>
>
>> _______________________________________________ Jython-users
>> mailing list Jython-users@lists.sourceforge.net
> <mailto:Jython-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/jython-users
>
>
> ------------------------------------------------------------------------------
>
>
Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics Download AppDynamics
> Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan
> _______________________________________________ Jython-users
> mailing list Jython-users@lists.sourceforge.net
> <mailto:Jython-users@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/jython-users
>
>
>
>
> ------------------------------------------------------------------------------
>
>
Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics Download AppDynamics
> Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan
>
>
>
> _______________________________________________ Jython-users
> mailing list Jython-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/jython-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iEYEARECAAYFAlENgmgACgkQ7X1+MfqVcr0DIwCbBUBnHfNFSMoq5nMv+flk4OfY
XM4An15MA2WdEGU5uqdzE6J0IQIGLTQV
=efjt
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
Jython-users mailing list
Jython-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jython-users



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
Jython-users mailing list
Jython-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jython-users