From: PAX <onk...@ya...> - 2013-02-02 16:11:43
|
Hi friends of Jython I've got a question: Is it possible to let Jython restrict the access to specific Java packages? For instance, how can I tell Jython to reject the usage of classes from "java.io.*" in user code? Is this possible? Cheers PAX |
From: Johannes B. <buc...@gm...> - 2013-02-02 16:24:26
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/02/2013 05:11 PM, PAX wrote: > Hi friends of Jython > > I've got a question: Is it possible to let Jython restrict the > access to specific Java packages? For instance, how can I tell > Jython to reject the usage of classes from "java.io.*" in user > code? Perhaps you can achieve what you want using Java permissions: http://docs.oracle.com/javase/6/docs/technotes/guides/security/PolicyFiles.html http://docs.oracle.com/javase/6/docs/technotes/guides/security/permissions.html#FilePermission Can you elaborate why you want to restrict access to java.io? I think if you try to cripple Jython, you will run into many issues and it may not even run. Permissions seem to be the right way (TM) to restrict IO. Cheers, Johannes > > Is this possible? > > Cheers > > PAX > > > ------------------------------------------------------------------------------ > > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics Download AppDynamics > Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan > > > > _______________________________________________ Jython-users > mailing list Jyt...@li... > https://lists.sourceforge.net/lists/listinfo/jython-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlENPa4ACgkQ7X1+MfqVcr3hzgCfRxRtm565wr+xlK4UO+4tX2KS eFcAn2S2A+M4afdF9eS84N7ihsW9ZNqU =znpL -----END PGP SIGNATURE----- |
From: Marcos M. <ma...@ji...> - 2013-02-02 21:14:18
|
custom classloader? On Feb 2, 2013, at 11:24, Johannes Buchner <buc...@gm...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 02/02/2013 05:11 PM, PAX wrote: >> Hi friends of Jython >> >> I've got a question: Is it possible to let Jython restrict the >> access to specific Java packages? For instance, how can I tell >> Jython to reject the usage of classes from "java.io.*" in user >> code? > > Perhaps you can achieve what you want using Java permissions: > > http://docs.oracle.com/javase/6/docs/technotes/guides/security/PolicyFiles.html > > http://docs.oracle.com/javase/6/docs/technotes/guides/security/permissions.html#FilePermission > > Can you elaborate why you want to restrict access to java.io? > I think if you try to cripple Jython, you will run into many issues > and it may not even run. Permissions seem to be the right way (TM) to > restrict IO. > > Cheers, > Johannes > >> >> Is this possible? >> >> Cheers >> >> PAX >> >> >> ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. >> Make your web apps faster with AppDynamics Download AppDynamics >> Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan >> >> >> >> _______________________________________________ Jython-users >> mailing list Jyt...@li... >> https://lists.sourceforge.net/lists/listinfo/jython-users > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.19 (GNU/Linux) > > iEYEARECAAYFAlENPa4ACgkQ7X1+MfqVcr3hzgCfRxRtm565wr+xlK4UO+4tX2KS > eFcAn2S2A+M4afdF9eS84N7ihsW9ZNqU > =znpL > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_jan > _______________________________________________ > Jython-users mailing list > Jyt...@li... > https://lists.sourceforge.net/lists/listinfo/jython-users |
From: PAX <onk...@ya...> - 2013-02-02 16:47:51
|
Hi Johannes. Thanks for your answer! The problem is, that I want to run untrusted Jython user code on a server machine. There's a small API that should be used by the user. The web application itselfs needs access to different Java classes (e.g. java.io.*). But the user code must be restricted. Furthermore, I need to restrict the maximum heap for the user code. Possibly, this is only realizable with a separte JVM. Cheers PAX ________________________________ Von: Johannes Buchner <buc...@gm...> An: jyt...@li... Gesendet: 17:24 Samstag, 2.Februar 2013 Betreff: Re: [Jython-users] How to restrict accessible packages -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/02/2013 05:11 PM, PAX wrote: > Hi friends of Jython > > I've got a question: Is it possible to let Jython restrict the > access to specific Java packages? For instance, how can I tell > Jython to reject the usage of classes from "java.io.*" in user > code? Perhaps you can achieve what you want using Java permissions: http://docs.oracle.com/javase/6/docs/technotes/guides/security/PolicyFiles.html http://docs.oracle.com/javase/6/docs/technotes/guides/security/permissions.html#FilePermission Can you elaborate why you want to restrict access to java.io? I think if you try to cripple Jython, you will run into many issues and it may not even run. Permissions seem to be the right way (TM) to restrict IO. Cheers, Johannes > > Is this possible? > > Cheers > > PAX > > > ------------------------------------------------------------------------------ > > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics Download AppDynamics > Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan > > > > _______________________________________________ Jython-users > mailing list Jyt...@li... > https://lists.sourceforge.net/lists/listinfo/jython-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlENPa4ACgkQ7X1+MfqVcr3hzgCfRxRtm565wr+xlK4UO+4tX2KS eFcAn2S2A+M4afdF9eS84N7ihsW9ZNqU =znpL -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan _______________________________________________ Jython-users mailing list Jyt...@li... https://lists.sourceforge.net/lists/listinfo/jython-users |
From: Johannes B. <buc...@gm...> - 2013-02-02 21:17:41
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/02/2013 05:47 PM, PAX wrote: > The problem is, that I want to run untrusted Jython user code on a > server machine. There's a small API that should be used by the > user. The web application itselfs needs access to different Java > classes (e.g. java.io.*). But the user code must be restricted. > > Furthermore, I need to restrict the maximum heap for the user > code. > Possibly, this is only realizable with a separte JVM. Yes, that sounds like the right approach: A separate JVM with a special SecurityManager and Classloader. You probably also want to kill the program if it does not terminate within a given time. Another good security measure is to use strict interfaces for passing calls and messages, and to enforce the interface using defensive programming. I don't know your application, but if you don't necessarily need a programming language the user can input, a simple declarative language you can parse yourself would be safer. Cheers, Johannes PS: some more potentially useful links: http://stackoverflow.com/questions/1715036/how-do-i-create-a-java-sandbox http://stackoverflow.com/questions/4249063/how-can-i-run-an-untrusted-c-program-in-a-sandbox-in-linux > *Von:* Johannes Buchner <buc...@gm...> *An:* > jyt...@li... *Gesendet:* 17:24 Samstag, > 2.Februar 2013 *Betreff:* Re: [Jython-users] How to restrict > accessible packages > > On 02/02/2013 05:11 PM, PAX wrote: >> Hi friends of Jython > >> I've got a question: Is it possible to let Jython restrict the >> access to specific Java packages? For instance, how can I tell >> Jython to reject the usage of classes from "java.io.*" in user >> code? > > Perhaps you can achieve what you want using Java permissions: > > http://docs.oracle.com/javase/6/docs/technotes/guides/security/PolicyFiles.html > > > http://docs.oracle.com/javase/6/docs/technotes/guides/security/permissions.html#FilePermission > > Can you elaborate why you want to restrict access to java.io? I > think if you try to cripple Jython, you will run into many issues > and it may not even run. Permissions seem to be the right way (TM) > to restrict IO. > > Cheers, Johannes > > >> Is this possible? > >> Cheers > >> PAX > > > > ------------------------------------------------------------------------------ > > > > Everyone hates slow websites. So do we. >> Make your web apps faster with AppDynamics Download AppDynamics >> Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan > > > >> _______________________________________________ Jython-users >> mailing list Jyt...@li... > <mailto:Jyt...@li...> >> https://lists.sourceforge.net/lists/listinfo/jython-users > > > ------------------------------------------------------------------------------ > > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics Download AppDynamics > Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan > _______________________________________________ Jython-users > mailing list Jyt...@li... > <mailto:Jyt...@li...> > https://lists.sourceforge.net/lists/listinfo/jython-users > > > > > ------------------------------------------------------------------------------ > > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics Download AppDynamics > Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan > > > > _______________________________________________ Jython-users > mailing list Jyt...@li... > https://lists.sourceforge.net/lists/listinfo/jython-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlENgmgACgkQ7X1+MfqVcr0DIwCbBUBnHfNFSMoq5nMv+flk4OfY XM4An15MA2WdEGU5uqdzE6J0IQIGLTQV =efjt -----END PGP SIGNATURE----- |
From: PAX <onk...@ya...> - 2013-02-02 21:51:44
|
Thanks for all your advices and hints! Cheers PAX ________________________________ Von: Johannes Buchner <buc...@gm...> An: jyt...@li... Gesendet: 22:17 Samstag, 2.Februar 2013 Betreff: Re: [Jython-users] How to restrict accessible packages -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/02/2013 05:47 PM, PAX wrote: > The problem is, that I want to run untrusted Jython user code on a > server machine. There's a small API that should be used by the > user. The web application itselfs needs access to different Java > classes (e.g. java.io.*). But the user code must be restricted. > > Furthermore, I need to restrict the maximum heap for the user > code. > Possibly, this is only realizable with a separte JVM. Yes, that sounds like the right approach: A separate JVM with a special SecurityManager and Classloader. You probably also want to kill the program if it does not terminate within a given time. Another good security measure is to use strict interfaces for passing calls and messages, and to enforce the interface using defensive programming. I don't know your application, but if you don't necessarily need a programming language the user can input, a simple declarative language you can parse yourself would be safer. Cheers, Johannes PS: some more potentially useful links: http://stackoverflow.com/questions/1715036/how-do-i-create-a-java-sandbox http://stackoverflow.com/questions/4249063/how-can-i-run-an-untrusted-c-program-in-a-sandbox-in-linux > *Von:* Johannes Buchner <buc...@gm...> *An:* > jyt...@li... *Gesendet:* 17:24 Samstag, > 2.Februar 2013 *Betreff:* Re: [Jython-users] How to restrict > accessible packages > > On 02/02/2013 05:11 PM, PAX wrote: >> Hi friends of Jython > >> I've got a question: Is it possible to let Jython restrict the >> access to specific Java packages? For instance, how can I tell >> Jython to reject the usage of classes from "java.io.*" in user >> code? > > Perhaps you can achieve what you want using Java permissions: > > http://docs.oracle.com/javase/6/docs/technotes/guides/security/PolicyFiles.html > > > http://docs.oracle.com/javase/6/docs/technotes/guides/security/permissions.html#FilePermission > > Can you elaborate why you want to restrict access to java.io? I > think if you try to cripple Jython, you will run into many issues > and it may not even run. Permissions seem to be the right way (TM) > to restrict IO. > > Cheers, Johannes > > >> Is this possible? > >> Cheers > >> PAX > > > > ------------------------------------------------------------------------------ > > > > Everyone hates slow websites. So do we. >> Make your web apps faster with AppDynamics Download AppDynamics >> Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan > > > >> _______________________________________________ Jython-users >> mailing list Jyt...@li... > <mailto:Jyt...@li...> >> https://lists.sourceforge.net/lists/listinfo/jython-users > > > ------------------------------------------------------------------------------ > > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics Download AppDynamics > Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan > _______________________________________________ Jython-users > mailing list Jyt...@li... > <mailto:Jyt...@li...> > https://lists.sourceforge.net/lists/listinfo/jython-users > > > > > ------------------------------------------------------------------------------ > > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics Download AppDynamics > Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan > > > > _______________________________________________ Jython-users > mailing list Jyt...@li... > https://lists.sourceforge.net/lists/listinfo/jython-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlENgmgACgkQ7X1+MfqVcr0DIwCbBUBnHfNFSMoq5nMv+flk4OfY XM4An15MA2WdEGU5uqdzE6J0IQIGLTQV =efjt -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan _______________________________________________ Jython-users mailing list Jyt...@li... https://lists.sourceforge.net/lists/listinfo/jython-users |
From: Julian K. <jul...@gm...> - 2013-02-08 14:50:53
|
What about using exec builtin function and writing a custom import hook? Just thinking off the top of my head. On 2 February 2013 23:39, PAX <onk...@ya...> wrote: > Thanks for all your advices and hints! > > Cheers > > PAX > > > ------------------------------ > *Von:* Johannes Buchner <buc...@gm...> > *An:* jyt...@li... > *Gesendet:* 22:17 Samstag, 2.Februar 2013 > *Betreff:* Re: [Jython-users] How to restrict accessible packages > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 02/02/2013 05:47 PM, PAX wrote: > > The problem is, that I want to run untrusted Jython user code on a > > server machine. There's a small API that should be used by the > > user. The web application itselfs needs access to different Java > > classes (e.g. java.io.*). But the user code must be restricted. > > > > Furthermore, I need to restrict the maximum heap for the user > > code. > > > Possibly, this is only realizable with a separte JVM. > > Yes, that sounds like the right approach: A separate JVM with a > special SecurityManager and Classloader. You probably also want to > kill the program if it does not terminate within a given time. > > Another good security measure is to use strict interfaces for passing > calls and messages, and to enforce the interface using defensive > programming. I don't know your application, but if you don't > necessarily need a programming language the user can input, a simple > declarative language you can parse yourself would be safer. > > Cheers, > Johannes > > PS: some more potentially useful links: > http://stackoverflow.com/questions/1715036/how-do-i-create-a-java-sandbox > > http://stackoverflow.com/questions/4249063/how-can-i-run-an-untrusted-c-program-in-a-sandbox-in-linux > > > *Von:* Johannes Buchner <buc...@gm...> *An:* > > jyt...@li... *Gesendet:* 17:24 Samstag, > > 2.Februar 2013 *Betreff:* Re: [Jython-users] How to restrict > > accessible packages > > > > On 02/02/2013 05:11 PM, PAX wrote: > >> Hi friends of Jython > > > >> I've got a question: Is it possible to let Jython restrict the > >> access to specific Java packages? For instance, how can I tell > >> Jython to reject the usage of classes from "java.io.*" in user > >> code? > > > > Perhaps you can achieve what you want using Java permissions: > > > > > http://docs.oracle.com/javase/6/docs/technotes/guides/security/PolicyFiles.html > > > > > > > http://docs.oracle.com/javase/6/docs/technotes/guides/security/permissions.html#FilePermission > > > > Can you elaborate why you want to restrict access to java.io? I > > think if you try to cripple Jython, you will run into many issues > > and it may not even run. Permissions seem to be the right way (TM) > > to restrict IO. > > > > Cheers, Johannes > > > > > >> Is this possible? > > > >> Cheers > > > >> PAX > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > Everyone hates slow websites. So do we. > >> Make your web apps faster with AppDynamics Download AppDynamics > >> Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan > > > > > > > >> _______________________________________________ Jython-users > >> mailing list Jyt...@li... > > <mailto:Jyt...@li...> > >> https://lists.sourceforge.net/lists/listinfo/jython-users > > > > > > > ------------------------------------------------------------------------------ > > > > > Everyone hates slow websites. So do we. > > Make your web apps faster with AppDynamics Download AppDynamics > > Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan > > _______________________________________________ Jython-users > > mailing list Jyt...@li... > > <mailto:Jyt...@li...> > > https://lists.sourceforge.net/lists/listinfo/jython-users > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > Everyone hates slow websites. So do we. > > Make your web apps faster with AppDynamics Download AppDynamics > > Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan > > > > > > > > _______________________________________________ Jython-users > > mailing list Jyt...@li... > > https://lists.sourceforge.net/lists/listinfo/jython-users > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.19 (GNU/Linux) > > iEYEARECAAYFAlENgmgACgkQ7X1+MfqVcr0DIwCbBUBnHfNFSMoq5nMv+flk4OfY > XM4An15MA2WdEGU5uqdzE6J0IQIGLTQV > =efjt > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_jan > _______________________________________________ > Jython-users mailing list > Jyt...@li... > https://lists.sourceforge.net/lists/listinfo/jython-users > > > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_jan > _______________________________________________ > Jython-users mailing list > Jyt...@li... > https://lists.sourceforge.net/lists/listinfo/jython-users > > |