#13579: test_executable security risk
------------------------------------------------+---------------------------
       Reporter:  vbraun                        |         Owner:  mvngu         
              
           Type:  defect                        |        Status:  needs_review  
              
       Priority:  blocker                       |     Milestone:  sage-5.4      
              
      Component:  doctest                       |    Resolution:                
              
       Keywords:                                |   Work issues:                
              
Report Upstream:  N/A                           |     Reviewers:  Volker Braun, 
Jeroen Demeyer
        Authors:  Jeroen Demeyer, Volker Braun  |     Merged in:                
              
   Dependencies:                                |      Stopgaps:                
              
------------------------------------------------+---------------------------

Comment (by jdemeyer):

 Replying to [comment:11 vbraun]:
 > Its pretty difficult to reliably determine if others have write access
 to the directory. Your system might not use the traditional u/g/o security
 model but rely on one of the SELinux ACMs, or even a completely different
 security model.
 How about checking that the script is owned by the same user as the
 directory it is contained in?  I think that would work pretty well.

 > But that should be an additional security measure, and is definitely not
 the solution to the issue here.
 I disagree.  I think `sage-run` is the real issue and that adding stuff to
 `test_executable` is simply a work-around.

-- 
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/13579#comment:12>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica, 
and MATLAB

-- 
You received this message because you are subscribed to the Google Groups 
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/sage-trac?hl=en.

Reply via email to