recec & Bastion ?
Gabriel Genellina
gagsl-py2 at yahoo.com.ar
Wed Apr 11 22:50:13 EDT 2007
En Wed, 11 Apr 2007 19:26:27 -0300, Erik Johnson <nobody at invalid.com>
escribió:
> The documentation for these two modules says that they were disabled
> in
> Python 2.3 due to security holes not easily fixable. I have not worked
> with
> them, but I can still import them under Python 2.4, so I'm not clear on
> whether the security problems were fixed in Python itself, or whether the
> modules remain deprecated (disabled?)? How are/were they actually
> disabled?
> Any place that documents what the problems are? Any alternatives?
They were unsecure in 2003, and still are. This example still works (you
have to re-enable Bastion.py and rexec.py to test, removing the explicit
RuntimeError raise)
http://mail.python.org/pipermail/python-dev/2003-January/031851.html
With new-style classes you can create new instances using type(), by
example; this way you can bypass the read-only restriction on files.
The language has grown plenty of new attributes, they're very handy, but
provide a lot of security holes; like __subclasses__ by example.
As far as I know, Python can't secure itself by now. I think you have to
go outside Python, using a chroot jail by example.
--
Gabriel Genellina
More information about the Python-list
mailing list