[Python-Dev] PEP 370, open questions
glyph at divmod.com
glyph at divmod.com
Thu Jan 17 14:49:01 CET 2008
On 12:26 pm, exarkun at divmod.com wrote:
>On Thu, 17 Jan 2008 13:09:34 +0100, Christian Heimes <lists at cheimes.de>
>wrote:
>>The uid and gid tests aren't really required. They just provide an
>>extra
>>safety net if a user forgets to add the -s flag to a suid app.
>It's not much of a safety net if PYTHONPATH still allows injection of
>arbitrary code. It's just needless additional complexity for no
>benefit.
By confusing users' expectations, it may actually be *worse* to add this
"safety net" than to do nothing. It should be obvious right now that
tightly controlling the environment is a requirement of any suid Python
code. However, talking about different behavior in the case of
differing euid and uid might confuse some developers and/or
administrators into thinking that Python was doing all it needed to.
There's also the confusion that the value of $HOME is actually the
relevant thing for controlling "user-installed" imports, not the (E)UID.
I think it would be good to have a look at the security implications of
this and other environment-dependent execution, including $PYTHONPATH
and $PYTHONSTARTUP, in a separate PEP. It might be good to change the
way some of these things work, but in either case it would be good to
have an unambiguous declaration of the *expected* security properties
and potential attack vectors against the Python interpreter, for both
developers and system administrators.
More information about the Python-Dev
mailing list