On Tue, Jun 13, 2017 at 07:45:35AM +0000, Stuart Henderson wrote:
| On 2017-06-13, Josh Stephens <[email protected]> wrote:
| > Thank you Theo. After reading through your reply I would rather not
| > deal with a potential risk. I decided to go down the path of adding a
| > venv directory in /usr/local and giving my account as owner and wheel
| > as group. This should allow the python binaries to stay in /usr/local
| > and not have to set wxallowed on my /home directory. I believe this to
| > be a safer option but unfortunately security is not my strong suite so
| > I might be missing another security implication by going down this
| > road.
| >
| >
|
| Note that python itself doesn't need W|X mappings, as long as you aren't
| using the very small number of python modules that need them (mostly
| webkit-related) you can remove the USE_WXNEEDED line from the port and
| rebuild from there..
So, I'm one of those people that use python but not the modules that
require W|X. It seems to me that I can further improve the security
of my machine by mounting /usr/local without wxallowed and building
python without USE_WXNEEDED like you suggest.
However, the convenience of just installing packages is then lost.
After a discussion on IRC, a couple of ways to deal with this came up:
1. add a non-USE_WXNEEDED flavour of the python port
2. have the python port(s) ship two binaries (one with, one without
OPENBSD_WXNEEDED)
3. allow running binaries that have the OPENBSD_WXNEEDED header from
non-wxallowed filesystems, but simply kill them once they try W|X
The first one gets hairy quick, when you later decide to install one
of the python modules that require W|X (solution "don't do that
then"?). The third option seems unlikely given the direction of
development in this area so far. So, what about 2)?
I'll readily admit it's not my idea, but I do like it as a way of
further improving the security of my system (by ensuring nothing runs
with W|X), while still allowing me to use python (which, in my case,
shouldn't be using W|X).
Even if, at some point in the future, those few modules that require
W|X are fixed to no longer do that, you can still write python code
that needs it (much like you can still write C code that does this);
so how do we progress from here if the goal is to get rid of the
wxallowed flag and the OPENBSD_WXNEEDED header altogether and just
flat out always refuse W|X?
Thoughts?
Paul
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
