On Thursday, November 7, 2013 7:13:39 AM UTC-8, [email protected] wrote:
>
>
> I read through that ticket before posting, but I didn't (and still don't)
> see a solution to my problem. Admittedly I don't understand all of the
> issues talked about on that ticket. I created a test script in the same
> group writable directory I mentioned previously with the following content:
> ...
>
> When I run this with python or sage, it runs fine. However, when I try to
> run the doctest, I get the same RuntimeError as before. I'm not sure how
> this fits into the discussion you referenced on trac, but it doesn't seem
> like the right behavior, unless I'm missing something.
Your problem arises from the fact that sage's python is patched to be a
little more picky about permissions on paths. For reference, this is from
sys_path_security.patch
+ if (given_arg[0] != '\0' && stat(given_arg, &arg_stat) == 0) {
+ /* Only keep group bits if the group is the same as the
+ * group of "parent" (otherwise the group is considered unsafe). */
+ if (arg_stat.st_gid != parent_stat.st_gid)
+ arg_stat.st_mode &= 0707;
+ /* If parent does *not* have the sticky bit set, "arg" is at
+ * least as writable as "parent". This obviously only applies
+ * if "arg" is an existing file/directory inside "parent", which
+ * is the case here. */
+ if (!(parent_stat.st_mode & S_ISVTX))
+ arg_stat.st_mode |= parent_stat.st_mode;
So I suspect your group-writable directory sits in a directory with a
different group ID (that would be the normal setup for, say, a group
writeable directory in /home). Your use case shows perhaps that this is not
such a great heuristic. On the other side, from a security point of view
it's better than nothing.
I see several solutions:
- Change group ownership of the parent directory (that might need help
from your sysadmin and it's very likely he'd have good reasons to object)
- Nest everything one level deeper: make a directory INSIDE your
group-owned-and-writeable directory and put everything in there. I think
that might be enough to circumvent the newly-devised test.
--
You received this message because you are subscribed to the Google Groups
"sage-support" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/sage-support.
For more options, visit https://groups.google.com/groups/opt_out.
