[IronPython] E: Default install location and site-packages
Michael Foord
fuzzyman at voidspace.org.uk
Tue Oct 6 20:10:18 CEST 2009
Dino Viehland wrote:
> Michael wrote:
>
>> I still see it as a question of usability rather than security. (I'm
>> honestly not sure how creating a writable directory is a security
>> issue?) If the default install location of IronPython makes installing
>> and using Python packages with IronPython impossible for non-elevated
>> users then that is an extreme misfeature.
>>
>
> This is the security problem. Let's say I, a normal user, goes into
> C:\Python26\Lib\site-packages and creates or modifies sitecustomize.py.
> In sitecustomize.py I add some code like:
>
> import os
> if os.environ['USERNAME'] == 'Administrator':
> # install malware here, set myself as an administrator, format C,
> # etc...
> pass
>
> Now I just sit back and wait for an administrator to start some program
> which relies on Python. I now have full control of a machine which I was
> originally only granted normal user access on.
>
>
>
Well, fair enough [1]. :-)
Except it may *still* leave distutils / package management basically
unusable for many people. That would still seem to be bad. I'd like to
work on making Distribute (the successor to setuptools) compatible with
IronPython but it is going to require a working distutils system.
Can PEP 370 style site-packages be made the default for IronPython?
Michael
[1] I don't have this problem on the Mac. I have a system installed
Python that I must sudo to modify and a user installed one that I don't.
Even a user installed IronPython wouldn't have write permissions in the
normal site-packages folder on Windows, right?
>
>
> _______________________________________________
> Users mailing list
> Users at lists.ironpython.com
> http://lists.ironpython.com/listinfo.cgi/users-ironpython.com
>
--
http://www.ironpythoninaction.com/
http://www.voidspace.org.uk/blog
More information about the Ironpython-users
mailing list