Hacker News new | ask | show | jobs
by kstrauser 697 days ago
My answer in an interview was “exec Python”. Then you can call all the posix functions you need without launching separate commands.

This went over quite well.
2 comments
Onavo 697 days ago
It's interesting that mainstream Unix shells do not have a syscall function. That would be very useful.
link
layer8 697 days ago
Well, you can use https://github.com/taviso/ctypes.sh.
link
chx 697 days ago
Install this on production to almost guarantee to hear from the author in his official capacity :P
link
elashri 697 days ago
> Here is what people have been saying about ctypes.sh:

"that's disgusting"

"this has got to stop"

"you've gone too far with this"

"is this a joke?"

"I never knew the c could stand for Cthulhu."

link
fuzztester 697 days ago
This made me giggle.

And after the exec, if they asked me to parse a Python expression, I'd type "eval(expr)".

link
chii 697 days ago
It's funny, because at university, you would be assessed (perhaps) on such a question, and you would not be allowed to use these things! And yet, in "real life", this is exactly how you'd go about accomplishing the task.
link
fuzztester 697 days ago
Or even:

import code

code.interact()

# https://docs.python.org/3/library/code.html

link
kstrauser 697 days ago
Heh! But for real, though. Then you have a repl with access to all the functions in the os module. You can glob files to iterate over /proc. You can send signals. You can open network connections. As far as emergency shells go, you could do far, far worse.

Edit: also, all valid JSON is valid Python. Do not `eval(input_data)` in prod or I will haunt you. But, in an emergency…

link
fuzztester 697 days ago
Oh, I know about the security issues with eval.

My example was just as a joke.

For real use, I would only use it with my own trusted input.

link
tetha 697 days ago
I mean realistically speaking: If I can do `foo = <paste>`, check `typeof(foo)`. and output foo again to double-check what the REPL thinks foo contains, then I'm pretty safe to `eval(foo)`.

Sure, you could fake it with custom objects and all of that, but not when I'm pasting a string value into a REPL. If you had hijacked my workstation, shell or the remote python to the point you can exploit that... Yeah. I don't think you'd need me as a user then anymore.

link