4

I want to allow users to make their own Python "mods" for my game, by placing their scripts in a special folder which the game "scans" for Python modules and imports. What would be the simplest way to prevent "dangerous" scripts from being imported? I don't want people complaining to me that they used someone's mod and it erased their hard drive. Things I would like to limit is accessing/modifying/creating any files outside of their folder and connecting to the internet/downloading/sending data. If you can thik of anything else, let me know.

So how can this be done?

Sumurai8
  • 20,333
  • 11
  • 66
  • 100
  • 2
    There is no easy way to provide a reasonable amount of sandboxing. *Especially* if the files will require some amount of disk access. –  Mar 17 '12 at 15:51
  • Then what are the hard ways? I thought there would at least be a way to prevent specific modules to be imported in the future. –  Mar 17 '12 at 15:55
  • pypy provides more sophisticated sandboxing, but I have no information on how to embed it into your game. – sleeplessnerd Mar 17 '12 at 16:05
  • pypy is not an option as the game engine requires the official python version, sorry. –  Mar 17 '12 at 16:17
  • 1
    Could you handle disk access exploits by using permissions? e.g., When the user installs your game, create an account that's only allowed to read/modify files in the game's directory, and make all extensions run on that account? – octern Mar 17 '12 at 16:30
  • Permissions? What permissions? And what account? –  Mar 17 '12 at 16:38
  • I believe ocern is suggesting you create a very restricted os user that has due to OS restrictions a very limited access to harddrive. Which may be a good idea. – jb. Mar 17 '12 at 16:47
  • Ar you guys talking about an operating system user account and it's permissions? How does that make sense unless everyone is using my PC to play my game? –  Mar 17 '12 at 16:59
  • see: http://stackoverflow.com/questions/861864/is-there-a-safe-subset-of-python-for-use-as-an-embedded-scripting-language – sleeplessnerd Mar 18 '12 at 21:24

4 Answers4

2

Restricted Python seems to able to restrict functionality for code in a clean way and is compatible with python up to 2.7.

http://pypi.python.org/pypi/RestrictedPython/

e.g.

By supplying a different __builtins__ dictionary, we can rule out unsafe operations, such as opening files [...]

sleeplessnerd
  • 21,853
  • 1
  • 25
  • 29
0

The obvious way to do it is to load the module as a string and exec it. This has just as many security risks, but might be easier to block by using custom globals and locals. Have a look at this question - it gives some really good guidance on this. As pointed out in Delnan's comments, this isn't completely secure though.

You could also try this. I haven't used it, but it seems to provide a safe environment for unsafe scripts.

Community
  • 1
  • 1
aquavitae
  • 17,414
  • 11
  • 63
  • 106
  • 1
    Note that this will merely make things slightly harder for malicous modders. It's by no means a comprehensive sandbox. –  Mar 17 '12 at 16:13
  • @delnan: Correct. I'll add that to my answer. – aquavitae Mar 17 '12 at 16:21
  • @user975135: `execfile('modscript.py', custom_globals, custom_locals)` where `custom_globals` and `custom_locals` are dicts. Read the link. – aquavitae Mar 17 '12 at 16:24
0

There are some serious shortcomings for sandboxed python execution. aquavitae's answer links to some good discussion on the matter, especially this blog post. Read that first.

There is a kernel of secure execution within cPython. The fundamental idea is to replace the __builtins__ global (Note: not the __builtin__ module), which informs python to turn on some security features; making a handful of attributes on certain objects inaccessible, and removing most of the implementation objects from the interpreter when evaulating that bit of code.

You'll then need to write an actual implementation; in such a way that the protected modules are not the leaked into the sandbox. A fairly tested "file" replacement is provided in the linked blog. Getting a look on that might give you an idea of how involved and complex this problem is.

So now that you have understood that this is a challenge in python; you should take a look at languages with sandbox execution as a core feature, such as Lua, which is very popular in games.

SingleNegationElimination
  • 151,563
  • 33
  • 264
  • 304
0

Giving them python execution and trying to limit what they do is asking for trouble. See this SO question for discussion and a pointer to a good article. (You would presumably disable "eval", but it wouldn't make much difference in practice.

My suggestion: Turn the question around. Your goal is to provide them with scripting facilities so they can enhance the game. Find or define an interpreter for a suitable scripting language that has the features you need, and use it to execute their scripts. For example, you could support data persistence in a simple keystore model, without giving them file creation access. Or give them a command to create files but ensure it only accepts a path-less filename. The essential thing is to ensure that there is NO way for them to execute python commands directly.

Community
  • 1
  • 1
alexis
  • 48,685
  • 16
  • 101
  • 161