> On 30 May 2019, at 01:49, Steven D'Aprano <st...@pearwood.info> wrote:
>
> On Wed, May 29, 2019 at 10:22:31PM +0100, Barry wrote:
>
>> Serhiy, I think, is conflating two things.
>> 1. How to write software robust aginst attack.
>> 2. How to replace a symlink atomically.
>
> I don't have an opinion on whether Serhiy is right or wrong.
>
>
>> The only reason 1 is a problem is that the application is not in
>> control of its file space which I would suggest means you already
>> lost.
>>
>> I think the OP wants a soution to 2,
>
> In the bug report Tom linked to initially:
>
> https://bugs.python.org/issue36656
>
> he clearly references an attacker overwriting the file, rather than an
> accidental overwrite. So I think #1 is relevant -- except that Serhiy
> makes a good point that atomicity doesn't solve #1.
>
> I admit to a preference for atomic file operations where possible.
> Atomic operations are generally better, because they either succeed or
> fail, they don't half succeed and leave detritus lying around that you
> have to clean up. That's a good thing.
>
> No offense intended to Serhiy... I don't know why the concept is so
> controversial. I feel that had a core dev just gone ahead and
> implemented this behaviour either in shutils or os.symlink, nobody would
> have objected and asked for it to be removed. Its only because Tom has
> to (a) ask permission and (b) discuss the design first that are we
> having the debate.
>
> Making things atomic may not be a solution to every problem, but nor is
> it harmful and something we want to avoid. I can understand Serhiy
> saying "I don't care to implement this myself, and I won't review the
> PR, let somebody else do it" but I'm not sure why he is objecting to a
> volunteer willing to do the job.
>
> But since Serhiy has objected, Tom has to respond to those objections.
> Serhiy is one of the most productive and most respected of the core
> devs, and right or wrong he cannot be ignored.
Sorry, I should have checked back on the OP report, not relied on my memory.
Serhiy is right that atomic rename will not fix all security problems.
Designing secure software takes a lot of analysis.
As you say the atomic rename is valuable in its own right.
I'd not put it in os as a implementation based on ln -sf would
not be trivial and I think better fits in shutil.
Barry
>
>
> --
> Steven
> _______________________________________________
> Python-ideas mailing list
> Python-ideas@python.org
> https://mail.python.org/mailman/listinfo/python-ideas
> Code of Conduct: http://python.org/psf/codeofconduct/
>
_______________________________________________
Python-ideas mailing list
Python-ideas@python.org
https://mail.python.org/mailman/listinfo/python-ideas
Code of Conduct: http://python.org/psf/codeofconduct/