Replace show result with debug evaluate command
The show result subcommand was quite unsafe. Even though it limited
the globals for strings passed to the env() builtin, it was still
possible for admins to do things like call the exec() builtin and
then import other modules, or use open() to overwrite files
writeable by the user under which the engine was running.
Introduce a new evaluate command as a substitute and remove the show
result subcommand. Use the debugging framework to limit access to
evaluate so that it's only available if debug mode is enabled in the
configuration at the time the daemon is started. Further limit
evaluate to not have most of the normal builtins, and explicitly
reject any strings containing a double-underscore (__) so that base
attributes of other modules such as __builtins__ can't be called
into easily, or "lambda" so that lambda functions can't be used to
work around protections. Also add some selftests to make sure
evaluate can still use the expressions we previously tested with
show result, and that only administrators can use it, and that it's
only available to them when debug mode is enabled.
The evaluate command is still to be considered quite unsafe, and
debug mode should only be engaged when all administrators with
access to the service are trusted with the same permissions the
system account running the service also possesses.