[Python-Dev] PEP 3147, pycache directories and umask (original) (raw)

Greg Ewing greg.ewing at canterbury.ac.nz
Tue Mar 23 00:58:16 CET 2010

• Previous message: [Python-Dev] PEP 3147, __pycache__ directories and umask
• Next message: [Python-Dev] PEP 3147, __pycache__ directories and umask
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Antoine Pitrou wrote:

In light of this issue, I'm -0.5 on pycache becoming the default caching mechanism. The directory ownership/permissions issue is too much of a mess, especially for Web applications (think pycache files created by the Apache user).

Doesn't the existing .pyc mechanism have the same problem? Seems to me it's just as insecure to allow the Apache user to create .pyc files, since an attacker could overwrite them with arbitrary bytecode.

The only safe way is to pre-compile under a different user and make everything read-only to Apache. The same thing would apply under the pycache regime.

Actually, pycache creation doesn't have to be part of the import mechanism. It can be part of distutils instead (or whatever third-party tool

What about development, or if a user installs by dragging into site-packages instead of using an installer? I don't like the idea of being required to use an installation tool in order to get .pyc files.

-- Greg

• Previous message: [Python-Dev] PEP 3147, __pycache__ directories and umask
• Next message: [Python-Dev] PEP 3147, __pycache__ directories and umask
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list