On 06/28/18 00:46, Steven D'Aprano wrote:
Yes, attacks by trusted insiders are the hardest to defend against.
Betrayal of trust sucks. Trusted users with sufficient privileges could
just modify the source code of your application or of Python itself. They
could also attack your system in a thousand different ways.
But what about untrusted users with fewer privileges? They *can't* modify
the source code of your application, or change the password on other
accounts, or read arbitrary files, or masquerade as other users. Because
they have unprivileged accounts.
So why give them the ability to escalate their privilege to that of your
application (which probably can do lots of things they can't do) by
directly executing Python code they supply?
??? I don't follow. I never suggested allowing someone the ability to
directly execute user-supplied Python code. However, if they have the
privileges necessary to run the application, I don't see the security
risk. Many applications have embedded scripting engines that do just that.
Your argument is akin to:
"I gave my partner a key to my house, and they could rob me blind if they
want. Since I trust them not to, there's no point in locking the door to
the house when I go out, since they have a key."
Not exactly. The original question was about reading config variables
from a file in Python. That sort of thing didn't suggest (to me) a
world-facing web app or other security-conscious situation.
It's more like leaving the door unlocked while I'm home...
-Jim
--
https://mail.python.org/mailman/listinfo/python-list
