#13579: test_executable security risk
------------------------------------------------+---------------------------
Reporter: vbraun | Owner: mvngu
Type: defect | Status: needs_review
Priority: blocker | Milestone: sage-5.4
Component: doctest | Resolution:
Keywords: | Work issues:
Report Upstream: N/A | Reviewers: Volker Braun,
Jeroen Demeyer
Authors: Jeroen Demeyer, Volker Braun | Merged in:
Dependencies: | Stopgaps:
------------------------------------------------+---------------------------
Comment (by vbraun):
Its pretty difficult to reliably determine if others have write access to
the directory. Your system might not use the traditional u/g/o security
model but rely on one of the SELinux ACMs, or even a completely different
security model.
I'm in favor of removing cwd from `sys.path` in `sage-env` if it is not a
subdirectory of the users home directory. Thats a pretty specific measure
that keeps the convenience of easy importing while keeping use pretty
safe. But that should be an additional security measure, and is definitely
not the solution to the issue here.
`test_executable` has to be implemented in a manner that is not dependent
on other scripts, or we will see the same issue crop up again at a later
time.
--
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/13579#comment:11>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica,
and MATLAB
--
You received this message because you are subscribed to the Google Groups
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sage-trac?hl=en.
