Setting sys.path when building python
Brian Reynolds
reynolds at panix.com
Sun Aug 13 10:39:56 EDT 2000
I didn't realize this had been emailed to me also.
In article <39964445.6C661709 at hack.org>,
Rikard Bosnjakovic <bos at hack.org> wrote:
>Brian Reynolds wrote:
>> As built out of the box (i.e., './configure; make; make test; make
>> install') the value of sys.path includes the current working directory
>> (i.e., '.'). On a multiuser OS this is a Bad Idea(tm).
>
>Bad idea for what?
>
System security. It is trivial to leave files in shared directories
that a user might cd to that will over ride the expected results of
common commands. On a UNIX system the traditional thing to do is to
leave a shell script called ls in a directory and have that shell
script do what ever you want (maybe including actually calling the
real /bin/ls so the user doesn't suspect anything). This is a form of
Trojan Horse attack. It would be just as easy to create a Trojan
python module or package. If your search path (either $PATH or
sys.path) doesn't contain the current working directory you don't fall
prey to this sort of attack.
>>>> print sys.__doc__
>[...]
>path -- module search path; path[0] is the script directory, else ''
>
And that's what I want to change. I do not want the installed python
(or it's libraries) to include the current working directory in the
default path.
--
Brian Reynolds | "Dee Dee! Don't touch that button!"
reynolds at panix.com | "Oooh!"
http://www.panix.com/~reynolds | -- Dexter and Dee Dee
NAR# 54438 | "Dexter's Laboratory"
More information about the Python-list
mailing list