#13579: Python sys.path security risk
-------------------------------------------------------+--------------------
Reporter: vbraun | Owner: mvngu
Type: defect | Status:
needs_review
Priority: blocker | Milestone:
sage-5.4
Component: doctest | Resolution:
Keywords: | Work issues:
Report Upstream: Reported upstream. No feedback yet. | Reviewers: Volker
Braun, Jeroen Demeyer
Authors: Jeroen Demeyer, Volker Braun | Merged in:
Dependencies: | Stopgaps:
-------------------------------------------------------+--------------------
Comment (by nbruin):
Case (B): (current dir group writeable) - It's perfectly safe to make
directories group writeable, provided the group is sufficiently
restricted. In fact, it's a very conceivable setup if you have multiple
administrators that you want to give a lot of latitude, short of root
(e.g., because your filesystem is NFS with root-squash)
Case (C): (current dir only user writable but by different UID): That's
how I install packages like sage! Because they need frequent updates,
they're not owned by root but by a dedicated maintenance account.
None of these affect correct functioning of sage with the patch, since the
required paths are explicitly added to sys.path, but it does illustrate
that your detection heuristics are not very accurate.
As pointed out before, even `o+w` isn't necessarily a security risk, but
since `/tmp` likely is, I'd find that an acceptable compromise. The other
cases are harder to work around if they bite you.
--
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/13579#comment:51>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica,
and MATLAB
--
You received this message because you are subscribed to the Google Groups
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sage-trac?hl=en.
