On 12:26 pm, [EMAIL PROTECTED] wrote: >On Thu, 17 Jan 2008 13:09:34 +0100, Christian Heimes <[EMAIL PROTECTED]> >wrote:
>>The uid and gid tests aren't really required. They just provide an >>extra >>safety net if a user forgets to add the -s flag to a suid app. >It's not much of a safety net if PYTHONPATH still allows injection of >arbitrary code. It's just needless additional complexity for no >benefit. By confusing users' expectations, it may actually be *worse* to add this "safety net" than to do nothing. It should be obvious right now that tightly controlling the environment is a requirement of any suid Python code. However, talking about different behavior in the case of differing euid and uid might confuse some developers and/or administrators into thinking that Python was doing all it needed to. There's also the confusion that the value of $HOME is actually the relevant thing for controlling "user-installed" imports, not the (E)UID. I think it would be good to have a look at the security implications of this and other environment-dependent execution, including $PYTHONPATH and $PYTHONSTARTUP, in a separate PEP. It might be good to change the way some of these things work, but in either case it would be good to have an unambiguous declaration of the *expected* security properties and potential attack vectors against the Python interpreter, for both developers and system administrators. _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com