Message 388490 - Python tracker

Message388490

Author	christian.heimes
Recipients	christian.heimes, docs@python, frankli, gousaiyang, steve.dower, vstinner, zkonge
Date	2021-03-11.09:31:26
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1615455086.83.0.658258801325.issue43438@roundup.psfhosted.org>
In-reply-to

Content
Python's dynamic nature makes it hard to implement and reason about audit hooks written in Python. sys.addaudithook() is really only design for testing, debugging, and playing around with auditing. You absolutely have to write a custom interpreter if you want to take auditing serious. Please also keep in mind that sys.addaudithook() does not add a global hook. The function adds a per-interpreter hook. It just looks global to most people because a process typically has just one interpreter. I have filed bpo-43472 to track the issue. $ cat auditsub.py import sys import _xxsubinterpreters def hook(*args): print(args) sys.addaudithook(hook) import os os.system('echo main interpreter') sub = _xxsubinterpreters.create() _xxsubinterpreters.run_string(sub, "import os; os.system('echo you got pwned')", None) $ ./python auditsub.py ('os.system', (b'echo main interpreter',)) main interpreter you got pwned

Content

Python's dynamic nature makes it hard to implement and reason about audit hooks written in Python. sys.addaudithook() is really only design for testing, debugging, and playing around with auditing. You absolutely have to write a custom interpreter if you want to take auditing serious.

Please also keep in mind that sys.addaudithook() does **not** add a global hook. The function adds a per-interpreter hook. It just looks global to most people because a process typically has just one interpreter. I have filed bpo-43472 to track the issue.

$ cat auditsub.py 
import sys
import _xxsubinterpreters

def hook(*args):
    print(args)

sys.addaudithook(hook)

import os
os.system('echo main interpreter')

sub = _xxsubinterpreters.create()
_xxsubinterpreters.run_string(sub, "import os; os.system('echo you got pwned')", None)

$ ./python auditsub.py 
('os.system', (b'echo main interpreter',))
main interpreter
you got pwned

History
Date	User	Action	Args
2021-03-11 09:31:26	christian.heimes	set	recipients: + christian.heimes, vstinner, docs@python, steve.dower, zkonge, gousaiyang, frankli
2021-03-11 09:31:26	christian.heimes	set	messageid: <1615455086.83.0.658258801325.issue43438@roundup.psfhosted.org>
2021-03-11 09:31:26	christian.heimes	link	issue43438 messages
2021-03-11 09:31:26	christian.heimes	create