[issue5802] The security descriptors of python binaries in Windows are not strict enough
Brian Curtin
report at bugs.python.org
Mon Mar 1 16:45:56 CET 2010
Brian Curtin <curtin at acm.org> added the comment:
Even if we changed the ACL of the executable, any user could still add malicious code to be executed on import, as the C:\PythonXY directory doesn't require specific privileges for writing to it, and it shouldn't by default. When installed to "C:\Program Files", certain privileges are required to install anything, so regular users can't install third party code or swap out the interpreter.
If you need the added security, you are more than welcome to choose to install Python to a more secure location. Defaulting to "C:\Program Files" isn't necessary.
See also: issues #1074873 and #818030
----------
resolution: -> rejected
status: open -> closed
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue5802>
_______________________________________
More information about the Python-bugs-list
mailing list