Jean-Paul Calderone wrote: > If it should, I think the PEP should explain the attack this defends > against in more detail. The current brief mention of "security issues" > is a bit hand-wavey. For example, what is the relationship between > security, this feature, and the PYTHONPATH environment variable? Isn't > the attack of putting malicious code into a user site-packages directory > the same as the attack of putting it into a directory in PYTHONPATH? The PYTHONPATH env var has the same security implications. However a user has multiple ways to avoid problems. For example the user can use the -E flag or set up sudo to ignore the environment. The uid and gid tests aren't really required. They just provide an extra safety net if a user forgets to add the -s flag to a suid app. Christian
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4