Welcome!
This is the community forum for my apps Pythonista and Editorial.
For individual support questions, you can also send an email. If you have a very short question or just want to say hello — I'm @olemoritz on Twitter.
Set files/folders read/write attributes in user Pythonista main folder
-
An app cannot write to the APP folder of another app. That is enforced by kernel restrictions. I described above how to find the app folder -- you can try it (see if you can get to the pythonista2 APP folder from pythonista 3)
Apps signed by the same developer can share files in the APPGOUP folder. By default, pythonista has all of it's user files in the app group folder.
If you want to get pysandbox working in pythonista, you should be using it in pythonista, because it will work differently on your desktop, since there is can use c extensions, etc. Obviously, you will write your own test cases, so there is no danger (you can create dummy files in site packages that you try to delete)
You will need to create a wrench item that runs a script using pysandbox, or else run via stash -- it won't somehow modify your environment permanently (how could it!).
You will need to define a whitelist for the path for files you want to allow reading (see safe_open.py -- this replaces python open in sandboxed scripts, and allows only read access, and only to folders you specify). You could modify safe_open to allow write access to specific folders, but as written it will only permit reading, and only from folders you tell it.
See safe_import for how imports happen.
Again, you specify a whitelist.In my opinion, you are wasting your time. If you skim a script before you run it, you will get an idea about whether it is going to be totally malicious. And periodic backups protect you from whatever slips through. Maybe a wrench script that lists all imports, and lists all open, shutil, os, ctypes, objc_util, etc usage in a folder would go a long way to easing your mind?
-
If your concern is about reading confidential files (versus writing files, etc) then one option is to keep sensitive files encrypted in the app (not appgroup) folder, and have wrench items that move files in/out of that "vault". Basically you have a "lockdown" wrench item, and an "unlock" wrench item. This would be slow but probably you would only lockdown critical files.
You would likely chmod that folder to remove execute access, preventing anyone from reading the directory.