{"id":16613036,"url":"https://github.com/craftspider/pysecuritymanager","last_synced_at":"2025-07-14T07:34:42.601Z","repository":{"id":112386605,"uuid":"225750273","full_name":"CraftSpider/PySecurityManager","owner":"CraftSpider","description":"A security manager using 3.8+ audit hooks, in the style of the Java Security Manager (Though slightly more sane)","archived":false,"fork":false,"pushed_at":"2019-12-09T14:36:07.000Z","size":9,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-10T20:43:31.011Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CraftSpider.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-12-04T01:17:10.000Z","updated_at":"2020-08-01T19:03:29.000Z","dependencies_parsed_at":"2023-05-14T09:45:41.712Z","dependency_job_id":null,"html_url":"https://github.com/CraftSpider/PySecurityManager","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/CraftSpider/PySecurityManager","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CraftSpider%2FPySecurityManager","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CraftSpider%2FPySecurityManager/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CraftSpider%2FPySecurityManager/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CraftSpider%2FPySecurityManager/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CraftSpider","download_url":"https://codeload.github.com/CraftSpider/PySecurityManager/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CraftSpider%2FPySecurityManager/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265255907,"owners_count":23735361,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-12T01:45:49.769Z","updated_at":"2025-07-14T07:34:42.580Z","avatar_url":"https://github.com/CraftSpider.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# Python Security Manager\n\nA security manager, inspired by the Java Security Manager and [PEP 578](https://www.python.org/dev/peps/pep-0578/).\nDesigned to be simple to use, simply import and setup a manager.\n\n## Usage\n\nA simple manager, installed for all threads:\n\n```py\nimport secman\nmanager = secman.SecurityManager()\n# Allow imports of modules, not packaged (packages also require open and os.listdir)\nmanager.set_permission(secman.Permission(\"import\", True))\nmanager.set_permission(secman.Permission(\"exec\", True))\n# By default, adds for all threads. Accepts a thread ID as a second value\nsecman.add_manager(manager)\n```\n\nBy default, this manager cannot be removed, and no more can be added. As currently managers block\neverything by default, and the secman package raises its own audits on manager and permission alteration.\n\n## How It Works\n\n### Setup\nOn import, the security manager sets up its classes/functions, and then runs a couple lines of code.\nIt installs a new audit hook, steals some references to various items, then deletes those items\nfrom the public scope.\n\n### Runtime\nWhile running, the audit hook receives all audit events and associated arguments. Each time, the hook\nchecks the current thread ID, checks if any Managers exist for all threads or the current thread, then\ndispatches to them if they're set. If their check is False, or they raise any Error, the hook raises\na SecurityError, which is propagated by the Python Interpreter to the calling scope.\n\n### Shutdown\nOn shutdown, the interpreter will clear all hooks. By default, the Manager will raise a SecurityError\nwhen this happens, to guarantee the shutdown of the runtime after hooks are cleared. This is done\nbecause while the hook clear is unstoppable, this prevents malicious C code from calling the clear\nwithout the user noticing.\n\n### Alternatives\nIn 3.7 and below, some of what this does was replicable. However, it was much more complicated.\nOne could replace builtin functions with their own implementations, which for many functions might\nrequire custom handling. Unfortunately, things like `object.__getattr__` and `object.__setattr__`\ncan not be replaced at the Python level. Trying to set them at runtime results in a `TypeError`,\nso to audit them would require a custom version of the CPython interpreter. In short, one would\nhave needed to just write the entire Audit system themselves into the CPython source, then use a\ncustom Python interpreter.\n\n## TODO\n\n- Change to C, as the 'steal then delete' currently can be gotten around\n- Finish 'Targets' to allow more extensive permissions\n- Make more sane default manager settings, to encourage drop-in use\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcraftspider%2Fpysecuritymanager","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcraftspider%2Fpysecuritymanager","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcraftspider%2Fpysecuritymanager/lists"}