17.1.2 Defining restricted environments

The RExec class has the following class attributes, which are used by the __init__() method. Changing them on an existing instance won't have any effect; instead, create a subclass of RExec and assign them new values in the class definition. Instances of the new class will then use those new values. All these attributes are tuples of strings.

nok_builtin_names
Contains the names of built-in functions which will not be available to programs running in the restricted environment. The value for RExec is ('open', 'reload', '__import__'). (This gives the exceptions, because by far the majority of built-in functions are harmless. A subclass that wants to override this variable should probably start with the value from the base class and concatenate additional forbidden functions -- when new dangerous built-in functions are added to Python, they will also be added to this module.)

ok_builtin_modules
Contains the names of built-in modules which can be safely imported. The value for RExec is ('audioop', 'array', 'binascii', 'cmath', 'errno', 'imageop', 'marshal', 'math', 'md5', 'operator', 'parser', 'regex', 'rotor', 'select', 'sha', '_sre', 'strop', 'struct', 'time'). A similar remark about overriding this variable applies -- use the value from the base class as a starting point.

ok_path
Contains the directories which will be searched when an import is performed in the restricted environment. The value for RExec is the same as sys.path (at the time the module is loaded) for unrestricted code.

ok_posix_names
Contains the names of the functions in the os module which will be available to programs running in the restricted environment. The value for RExec is ('error', 'fstat', 'listdir', 'lstat', 'readlink', 'stat', 'times', 'uname', 'getpid', 'getppid', 'getcwd', 'getuid', 'getgid', 'geteuid', 'getegid').

ok_sys_names
Contains the names of the functions and variables in the sys module which will be available to programs running in the restricted environment. The value for RExec is ('ps1', 'ps2', 'copyright', 'version', 'platform', 'exit', 'maxint').

ok_file_types
Contains the file types from which modules are allowed to be loaded. Each file type is an integer constant defined in the imp module. The meaningful values are PY_SOURCE, PY_COMPILED, and C_EXTENSION. The value for RExec is (C_EXTENSION, PY_SOURCE). Adding PY_COMPILED in subclasses is not recommended; an attacker could exit the restricted execution mode by putting a forged byte-compiled file (.pyc) anywhere in your file system, for example by writing it to /tmp or uploading it to the /incoming directory of your public FTP server.

See About this document... for information on suggesting changes.