[Tutor] What are security holes?
Mishre
mishre at hushmail.com
Sun Jan 27 14:17:34 EST 2002
dman <dsh8290 at rit.edu> wrote in message news:<mailman.1012074223.11276.python-list at python.org>...
> On Sat, Jan 26, 2002 at 02:09:21PM +0100, A wrote:
> | We are going to install Python on our Linux server. Are there any
> | security holes for hackers? What would we be careful about and
> | how we should set it up? Are there any guidelines for installing
> | Python?
>
> # apt-get install python2.2
>
> :-) (well, if by "linux" you mean the "debian" distribution)
>
> The problem with having python is the same one you will have with
> perl, sh, gcc, g++, ruby, tcl, etc. Each of those allows a person to
> instruct the computer to do something. You certainly don't want to
> make your python binary SUID root or something.
>
> I am not aware of any "gotchas" wrt to installing python on a system.
>
> -D
One way around this is to use Gordon McMillan's Installer[1] to create
standalone programs, which do not require Python to be installed. We
do this a lot where I work (c: I work for a security consulting
company) when we don't want an interpreter or compiler on the system.
The down side to this approach is that it is an extra step and is not
available on every platform that Python runs on.
I do the same thing for PyQT programs, but this is usually to prevent
end users from changing something they souldn't in the code.
-M
[1] http://www.mcmillan-inc.com
More information about the Python-list
mailing list