On 12:26 pm, exarkun at divmod.com wrote: >On Thu, 17 Jan 2008 13:09:34 +0100, Christian Heimes <lists at cheimes.de> >wrote: >>The uid and gid tests aren't really required. They just provide an >>extra >>safety net if a user forgets to add the -s flag to a suid app. >It's not much of a safety net if PYTHONPATH still allows injection of >arbitrary code. It's just needless additional complexity for no >benefit. By confusing users' expectations, it may actually be *worse* to add this "safety net" than to do nothing. It should be obvious right now that tightly controlling the environment is a requirement of any suid Python code. However, talking about different behavior in the case of differing euid and uid might confuse some developers and/or administrators into thinking that Python was doing all it needed to. There's also the confusion that the value of $HOME is actually the relevant thing for controlling "user-installed" imports, not the (E)UID. I think it would be good to have a look at the security implications of this and other environment-dependent execution, including $PYTHONPATH and $PYTHONSTARTUP, in a separate PEP. It might be good to change the way some of these things work, but in either case it would be good to have an unambiguous declaration of the *expected* security properties and potential attack vectors against the Python interpreter, for both developers and system administrators.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4