[Python-Dev] Python security team

Brett Cannon brett at python.org
Sun Sep 28 02:45:14 CEST 2008 

On Sat, Sep 27, 2008 at 8:54 AM, Victor Stinner
<victor.stinner at haypocalc.com> wrote:
> Hi,
>
> I would like to know if a Python security team does exist. I sent an email
> about an imageop issue, and I didn't get any answer. Later I learned that a
> security ticket was created, I don't have access to it.
>

Yes, the PSRT (Python Security Response Team) does exist. We did get
your email; sorry we didn't respond. There are very few members on
that list and most of them are extremely busy. Responding to your
email just slipped through the cracks. I believe Benjamin was the last
person to work on your submitted patch.

> First, I would like to access to these informations. Not only this issue, but
> all security related issues. I have some knowledges about security and I can
> help to resolve issues and/or estimate the criticity of an issue.
>

That would require commit privileges first. Don't know if the group
requires that a person have a decent amount of time committing to the
core first (I just joined the list in late July).

> Second, I would like to help to fix all Python security issues. It looks like
> Python community isn't very reactive (proactive?) about security. Eg. a DoS
> was reported in smtpd server (integrated to Python)... 15 months ago. A patch
> is available but it's not applied in Python trunk.
>

Historically we have not been proactive. No one on the core team (that
I know of) would claim they are a security expert. And with Python not
making any claims to being secure, we just don't worry about DoS
stuff, etc.; only the severe buffer overflow attacks that get reported
and such typically get immediate attention. Considering we have a
Crashers directory in the test suite I think that shows we are not
stressed over plugging every potential crash (although we obviously
would like to).

> Third, I'm also looking for a document explaining "how Python is secure" (!).
> If an user can run arbitrary Python code, we know that it can do anything
> (read/remove any file, create/kill any process, read/write anywhere in
> memory, etc.). Brett wrote a paper about CPython sandboxing. PyPy is also
> working on sandboxing using two interpreters: one has high priviledge and
> execute instructions from the second interpreter (after checking the
> permissions and arguments). So is there somewhere a document to explain to
> current status of Python security?
>

Nope. I think my paper and blog posts are about the best you are going
to find since we removed Bastion/rexec. Basically the philosophy has
been "fix privilege escalation stuff immediately, fix crashers when
the fix is simple or someone has the time to fix the complicated
ones". Or at least that is the philosophy I personally have followed.

-Brett

More information about the Python-Dev mailing list