[Python-Dev] PEP 370, open questions (original) (raw)
glyph at divmod.com glyph at divmod.com
Thu Jan 17 14:49:01 CET 2008
- Previous message: [Python-Dev] PEP 370, open questions
- Next message: [Python-Dev] ntpath r54364 (was: PEP 370, open questions)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 12:26 pm, exarkun at divmod.com wrote:
On Thu, 17 Jan 2008 13:09:34 +0100, Christian Heimes <lists at cheimes.de> wrote:
The uid and gid tests aren't really required. They just provide an extra safety net if a user forgets to add the -s flag to a suid app.
It's not much of a safety net if PYTHONPATH still allows injection of arbitrary code. It's just needless additional complexity for no benefit.
By confusing users' expectations, it may actually be worse to add this "safety net" than to do nothing. It should be obvious right now that tightly controlling the environment is a requirement of any suid Python code. However, talking about different behavior in the case of differing euid and uid might confuse some developers and/or administrators into thinking that Python was doing all it needed to. There's also the confusion that the value of $HOME is actually the relevant thing for controlling "user-installed" imports, not the (E)UID.
I think it would be good to have a look at the security implications of this and other environment-dependent execution, including $PYTHONPATH and $PYTHONSTARTUP, in a separate PEP. It might be good to change the way some of these things work, but in either case it would be good to have an unambiguous declaration of the expected security properties and potential attack vectors against the Python interpreter, for both developers and system administrators.
- Previous message: [Python-Dev] PEP 370, open questions
- Next message: [Python-Dev] ntpath r54364 (was: PEP 370, open questions)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]