[Tutor] What are security holes?

dman dsh8290 at rit.edu
Mon Jan 28 09:28:48 EST 2002 

On Mon, Jan 28, 2002 at 09:15:12AM -0500, Steve Holden wrote:
| "dman" <dsh8290 at rit.edu> wrote in message
| news:mailman.1012190450.16668.python-list at python.org...
| > On Sun, Jan 27, 2002 at 06:33:05PM -0800, Mishre wrote:
| > | [snip]
| > |
| > | > | One way around this is to use Gordon McMillan's Installer[1] to
| create
| > | > | standalone programs, which do not require Python to be installed.
| > | >
| > | > As I understand it, the program still requires python.  The only
| > | > difference is the installer has python bundled with the program so the
| > | > end-user doesn't (necessarily) realize that.  It is just an installer,
| > | > not a compiler.
| > |
| > | Technically, yes. :)
| > |
| > | When the interpreter is include in the result, it would prevent
| > | unauthorized use of the interpreter.  Unless the attacker knows that
| > | you are using the bundled interpreter and can access it from their
| > | program.  However, this would require that they know to search for it,
| > | how to use it from their new script and the libs that are available.
| >
| > Yeah, sure.  Security through obscurity.  Reminds me of the cartoon on
| > the cover of the O'Reilly TCP/IP networking book ("you must be at
| > least this tall to storm the castle") :-).
|
| Are you sure you don't mean the Prentice-Hall "Firewalls and Network
| Security" by Cheswick & Bellovin?

I don't know, I don't have the book (I've only seen it).

| Sure, it's unsafe distributing bits of the Python system. But then it's
| unsafe getting out of bed in the morning!

Right!

| At least it answers the need to distribute Python applications
| without having to say "But you have to install the Python language
| first".

I didn't say the installer wasn't useful, it just isn't useful for
keeping python off the system while still running python programs.

| If someone knows enough to look for bits of the Python system in a
| ditributed application then they have many more direct ways to subvert a
| system without extracting bits of the Python system from the application and
| using them.

I agree with that.  (but I guess I wasn't clear enough on that in my
previous post)

-D

-- 

One OS to rule them all, one OS to find them,
One OS to bring them all and in the darkness bind them,
In the Land of Redmond, where the Shadows lie.

More information about the Python-list mailing list