[Tutor] Security [Was: Re: Decoding]
Eric Brunson
brunson at brunson.com
Tue Aug 14 18:02:42 CEST 2007
Michael Sparks wrote:
> On Monday 13 August 2007 21:53, Kent Johnson wrote:
>
>> Hmm...could be a remote connection such as ssh, which precludes the
>> sledgehammer though probably not the sort of mischief you can get into
>> with eval()...perhaps there are untrusted remote connections where
>> eval() would still be a significant risk, I don't know...
>>
>
> If they can ssh into a box, the likelihood of that ssh connection *only*
> allowing them access to run that single python program strikes me as
> vanishingly small :-)
>
>
Unless you set it up that way specifically, i.e. making the interactive
python program their login shell or specifying it to be run in their
.ssh/config.
P.S.
Michael, sorry for the double post to you, I missed the "reply all"
button the first time.
> Generally speaking I agree that eval is a good opportunity for problems, but
> if its in response to raw_input, I think the likelihood of it being the
> biggest potential security problem is low :)
>
> (After all, if they're ssh'ing in, they're more likely to ssh in, *then* run
> the code. They could happily delete and trash all sorts of things either
> inside or outside python. They could even write their own scripts to assist
> them in their devilish plans too, far exceeding the minor demon of eval ;-)
>
> Eval can however be an amazingly useful function, especially when combined
> with exec.
>
>
> Michael.
> _______________________________________________
> Tutor maillist - Tutor at python.org
> http://mail.python.org/mailman/listinfo/tutor
>
More information about the Tutor
mailing list