[Python-Dev] PEP 370, open questions
Jean-Paul Calderone
exarkun at divmod.com
Thu Jan 17 13:26:09 CET 2008
On Thu, 17 Jan 2008 13:09:34 +0100, Christian Heimes <lists at cheimes.de> wrote:
>Jean-Paul Calderone wrote:
>> If it should, I think the PEP should explain the attack this defends
>> against in more detail. The current brief mention of "security issues"
>> is a bit hand-wavey. For example, what is the relationship between
>> security, this feature, and the PYTHONPATH environment variable? Isn't
>> the attack of putting malicious code into a user site-packages directory
>> the same as the attack of putting it into a directory in PYTHONPATH?
>
>The PYTHONPATH env var has the same security implications. However a
>user has multiple ways to avoid problems. For example the user can use
>the -E flag or set up sudo to ignore the environment.
I'm not sure how sudo gets involved. sudo doesn't set the euid, it sets
the uid. This is about programs with the setuid bit set. (I assume this
doesn't also apply to Python programs that explicitly make use of the
seteuid() call, since this will probably only be checked at interpreter
startup before any Python application code has run.)
>
>The uid and gid tests aren't really required. They just provide an extra
>safety net if a user forgets to add the -s flag to a suid app.
It's not much of a safety net if PYTHONPATH still allows injection of
arbitrary code. It's just needless additional complexity for no benefit.
On the other hand, if all of the other mechanisms for modifying how
imports work is also made to behave this way, then maybe there's a point.
Jean-Paul
More information about the Python-Dev
mailing list