apiology/vbpysectools

A small Python library that contains various security things

pysectools

A small Python library that contains various security things.

Usage

import pysectools

Prevent secrets from leaking out of your process's memory:

pysectools.disallow_swap()
pysectools.disallow_core_dumps()

Drop privileges:

pysectools.drop_privileges('username', 'groupname')

Securely erase a secret from memory (only on CPython):

password = 'correct horse battery staple'
pysectools.zero(password)
# password == '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
# \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

Enter a Capsicum sandbox (works out of the box on FreeBSD 10.0 and newer):

b = open('before.txt', 'w')
pysectools.cap_enter()
b.write('hello from the sandbox!') # ok
open('after.txt', 'w').write('new file!') # IOError: [Errno 94] Not permitted in capability mode: 'after.txt'

Get a password safely using pinentry (usually comes with GnuPG) or getpass if there's no pinentry:

from pysectools.pinentry import Pinentry
pinentry = Pinentry(pinentry_path="/usr/local/bin/pinentry",
                    fallback_to_getpass=True)
# all parameters are optional
pass = pinentry.ask(prompt="Enter your passphrase: ",
                    description="Launching the nuclear rocket",
                    validator=lambda x: x.startswith("correct horse"))
pinentry.close()
rocket.authorize(pass)
pysectools.zero(pass)
rocket.launch()

Generate a cryptographically secure pseudorandom byte string (tries /dev/urandom/CryptGenRandom then libcrypto (LibreSSL) arc4random then libc arc4random):

pysectools.goodrandom(32) # size in bytes
# check the return value! it's False if there's something wrong

Resources

• Secure programming in Python -- this library implements things described there
• Secure Programming for Linux and Unix HOWTO -- the classic book
• PyNaCl -- all the crypto you need
• py-scrypt -- derive crypto keys from passwords
• passlib -- general password hashing library
• pyotp -- two-factor auth is easy
• OWASP Cheat Sheets and the Top Ten
• SSL/TLS Deployment Best Practices

License

Copyright © 2013-2014 Greg V greg@unrelenting.technology
This work is free. You can redistribute it and/or modify it under the
terms of the Do What The Fuck You Want To Public License, Version 2,
as published by Sam Hocevar. See the COPYING file for more details.