#13579: test_executable security risk
------------------------------------------------+---------------------------
       Reporter:  vbraun                        |         Owner:  mvngu         
              
           Type:  defect                        |        Status:  needs_review  
              
       Priority:  blocker                       |     Milestone:  sage-5.4      
              
      Component:  doctest                       |    Resolution:                
              
       Keywords:                                |   Work issues:                
              
Report Upstream:  N/A                           |     Reviewers:  Volker Braun, 
Jeroen Demeyer
        Authors:  Jeroen Demeyer, Volker Braun  |     Merged in:                
              
   Dependencies:                                |      Stopgaps:                
              
------------------------------------------------+---------------------------

Comment (by vbraun):

 Its pretty difficult to reliably determine if others have write access to
 the directory. Your system might not use the traditional u/g/o security
 model but rely on one of the SELinux ACMs, or even a completely different
 security model.

 I'm in favor of removing cwd from `sys.path` in `sage-env` if it is not a
 subdirectory of the users home directory. Thats a pretty specific measure
 that keeps the convenience of easy importing while keeping use pretty
 safe. But that should be an additional security measure, and is definitely
 not the solution to the issue here.

 `test_executable` has to be implemented in a manner that is not dependent
 on other scripts, or we will see the same issue crop up again at a later
 time.

-- 
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/13579#comment:11>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica, 
and MATLAB

-- 
You received this message because you are subscribed to the Google Groups 
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/sage-trac?hl=en.

Reply via email to