#13579: test_executable security risk
------------------------------------------------+---------------------------
Reporter: vbraun | Owner: mvngu
Type: defect | Status: needs_review
Priority: blocker | Milestone: sage-5.4
Component: doctest | Resolution:
Keywords: | Work issues:
Report Upstream: N/A | Reviewers: Volker Braun,
Jeroen Demeyer
Authors: Jeroen Demeyer, Volker Braun | Merged in:
Dependencies: | Stopgaps:
------------------------------------------------+---------------------------
Comment (by jdemeyer):
Replying to [comment:11 vbraun]:
> Its pretty difficult to reliably determine if others have write access
to the directory. Your system might not use the traditional u/g/o security
model but rely on one of the SELinux ACMs, or even a completely different
security model.
How about checking that the script is owned by the same user as the
directory it is contained in? I think that would work pretty well.
> But that should be an additional security measure, and is definitely not
the solution to the issue here.
I disagree. I think `sage-run` is the real issue and that adding stuff to
`test_executable` is simply a work-around.
--
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/13579#comment:12>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica,
and MATLAB
--
You received this message because you are subscribed to the Google Groups
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sage-trac?hl=en.
