#13579: Python sys.path security risk
-------------------------------------------------------+--------------------
       Reporter:  vbraun                               |         Owner:  mvngu  
                     
           Type:  defect                               |        Status:  
needs_review                
       Priority:  blocker                              |     Milestone:  
sage-5.4                    
      Component:  doctest                              |    Resolution:         
                     
       Keywords:                                       |   Work issues:         
                     
Report Upstream:  Reported upstream. No feedback yet.  |     Reviewers:  Volker 
Braun, Jeroen Demeyer
        Authors:  Jeroen Demeyer, Volker Braun         |     Merged in:         
                     
   Dependencies:                                       |      Stopgaps:         
                     
-------------------------------------------------------+--------------------

Comment (by jdemeyer):

 Replying to [comment:51 nbruin]:
 > Case (B): (current dir group writeable) - It's perfectly safe to make
 directories group writeable, provided the group is sufficiently
 restricted. In fact, it's a very conceivable setup if you have multiple
 administrators that you want to give a lot of latitude, short of root
 (e.g., because your filesystem is NFS with root-squash)
 Then it's likely that ''both'' the Python script and the directory
 containing it are group-writable by the same group, which is allowed by my
 patch.

 > Case (C): (current dir only user writable but by different UID): That's
 how I install packages like sage! Because they need frequent updates,
 they're not owned by root but by a dedicated maintenance account.
 My patch allows a directory owned by the same user as the Python
 executable.  In fact, I precisely had this scenario in mind, that's why I
 added this check.

-- 
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/13579#comment:52>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica, 
and MATLAB

-- 
You received this message because you are subscribed to the Google Groups 
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/sage-trac?hl=en.

Reply via email to