Is fstat() a safe (sandboxed) operation?

I'm currently writing a Python sandbox using sandboxed PyPy. Basically, the sandbox works by providing a "controller" that maps system library calls to a specified function instead. After following the instructions found at codespeak (which walk through the set up process), I realized that the default controller doe开发者_Python百科s not include a replacement for os.fstat(), and therefore crashes when I call open(). Specifically, the included pypy/translator/sandbox/sandlib.py does not contain a definition for do_ll_os__ll_os_fstat.

So far, I've implemented it as:

def do_ll_os__ll_os_fstat(self, fd):
    return os.fstat(fd)

which seems to work fine. Is this safe? Will this create a hole in the sandbox?

The fstat call can reveal certain information which you may or may not want to keep secret. Among other things:

• Whether two file descriptors are on the same filesystem
• The block size of the underlying filesystem
• Numeric UID/GIDs of file owners
• Modification/access times of files

However, it will not modify anything, so if you don't mind this (relatively minor) information leak, no problem. You could also alter some of the results to mask information you want to hide (set owner UIDs/GIDs to 0, for example)

bdonlan's answer is good, but since there is a bounty here, what the heck :-)

You can see for yourself precisely what information fstat provides by reading the POSIX spec for struct stat.

It is definitely a "read-only" operation. And as a rule, Unix file descriptors only provide access to the single object to which they refer. For example, a (readable) file descriptor referencing a directory will allow you to list the files within the directory, but it will not allow you to access files within the directory; for that, you need to open() the file, which will perform a permission check.

Be aware that fstat can be called on non-files like directories or sockets. Here again, though, it will only provide the information you see in struct stat and it will not modify anything. (And for a socket, most of the fields will be meaningless.)