[Python-Dev] PEP 370, open questions (original) (raw)

Christian Heimes lists at cheimes.de
Thu Jan 17 13:09:34 CET 2008

• Previous message: [Python-Dev] PEP 370, open questions
• Next message: [Python-Dev] PEP 370, open questions
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jean-Paul Calderone wrote:

If it should, I think the PEP should explain the attack this defends against in more detail. The current brief mention of "security issues" is a bit hand-wavey. For example, what is the relationship between security, this feature, and the PYTHONPATH environment variable? Isn't the attack of putting malicious code into a user site-packages directory the same as the attack of putting it into a directory in PYTHONPATH?

The PYTHONPATH env var has the same security implications. However a user has multiple ways to avoid problems. For example the user can use the -E flag or set up sudo to ignore the environment.

The uid and gid tests aren't really required. They just provide an extra safety net if a user forgets to add the -s flag to a suid app.

Christian

• Previous message: [Python-Dev] PEP 370, open questions
• Next message: [Python-Dev] PEP 370, open questions
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list