#13579: Python sys.path security risk
-------------------------------------------------------+--------------------
       Reporter:  vbraun                               |         Owner:  mvngu  
                     
           Type:  defect                               |        Status:  
needs_review                
       Priority:  blocker                              |     Milestone:  
sage-5.4                    
      Component:  doctest                              |    Resolution:         
                     
       Keywords:                                       |   Work issues:         
                     
Report Upstream:  Reported upstream. No feedback yet.  |     Reviewers:  Volker 
Braun, Jeroen Demeyer
        Authors:  Jeroen Demeyer, Volker Braun         |     Merged in:         
                     
   Dependencies:                                       |      Stopgaps:         
                     
-------------------------------------------------------+--------------------

Comment (by nbruin):

 Case (B): (current dir group writeable) - It's perfectly safe to make
 directories group writeable, provided the group is sufficiently
 restricted. In fact, it's a very conceivable setup if you have multiple
 administrators that you want to give a lot of latitude, short of root
 (e.g., because your filesystem is NFS with root-squash)

 Case (C): (current dir only user writable but by different UID): That's
 how I install packages like sage! Because they need frequent updates,
 they're not owned by root but by a dedicated maintenance account.

 None of these affect correct functioning of sage with the patch, since the
 required paths are explicitly added to sys.path, but it does illustrate
 that your detection heuristics are not very accurate.

 As pointed out before, even `o+w` isn't necessarily a security risk, but
 since `/tmp` likely is, I'd find that an acceptable compromise. The other
 cases are harder to work around if they bite you.

-- 
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/13579#comment:51>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica, 
and MATLAB

-- 
You received this message because you are subscribed to the Google Groups 
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/sage-trac?hl=en.

Reply via email to