Guido van Rossum wrote: > > Discussions based on Python running as root and picking up untrusted > code from $PYTHONPATH are pointless. Of course this is a security > hole. If root runs *any* Python script in a way that could pick up > even a single untrusted module, there's a security hole. site.py or > *.pth files are just a special case of this, so I don't see why this > is used as an example. Agreed; see my reply to Martin. Still, wouldn't it be wise to add some logic to Python to prevent importing untrusted modules, e.g. by making sys.path read-only and disabling the import hook usage using a command line ? This would at least prevent the most obvious attacks. I wonder how RedHat works around these problems. -- Marc-Andre Lemburg ______________________________________________________________________ Company: http://www.egenix.com/ Consulting: http://www.lemburg.com/ Python Pages: http://www.lemburg.com/python/
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4