Jean-Paul Calderone wrote: > If it should, I think the PEP should explain the attack this defends > against in more detail. The current brief mention of "security issues" > is a bit hand-wavey. For example, what is the relationship between > security, this feature, and the PYTHONPATH environment variable? Isn't > the attack of putting malicious code into a user site-packages directory > the same as the attack of putting it into a directory in PYTHONPATH?
The PYTHONPATH env var has the same security implications. However a user has multiple ways to avoid problems. For example the user can use the -E flag or set up sudo to ignore the environment. The uid and gid tests aren't really required. They just provide an extra safety net if a user forgets to add the -s flag to a suid app. Christian _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
