#13579: test_executable security risk
---------------------------------------------------------------+------------
Reporter: vbraun | Owner:
mvngu
Type: defect | Status:
needs_work
Priority: blocker | Milestone:
sage-5.4
Component: doctest | Resolution:
Keywords: | Work issues:
Report Upstream: Not yet reported upstream; Will do shortly. | Reviewers:
Volker Braun, Jeroen Demeyer
Authors: Jeroen Demeyer, Volker Braun | Merged in:
Dependencies: | Stopgaps:
---------------------------------------------------------------+------------
Comment (by vbraun):
I think there is no way you can expect any degree of safety if you
manually make a directory world-writeable and then execute things in
there. You should be allowed to shoot your own foot if you desperately
want to. In particular, even if Python would check every directory
permission there is still a race before `chmod go-w /tmp/test/secure`.
It would still be good to get rid of some of the sharp edges in Python
wrt. execution in /tmp; But Jeroen's current patch would e.g. prevent you
from giving file ownership of a script directory to `nobody`. IMHO it
would be enough to check that parent dir is not o+w, anything else might
actually be intentional (e.g. you might have set up a special group so you
can collaborate on a Python program).
--
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/13579#comment:38>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica,
and MATLAB
--
You received this message because you are subscribed to the Google Groups
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sage-trac?hl=en.
